Preventing ViewCode.asp from Viewing Known Server Files

ID: Q231656

The information in this article applies to:

Microsoft Site Server version 3.0

SYMPTOMS

Default installations of Microsoft Site Server include ViewCode.asp, a tool provided so that users can view files in the sample sites. However, a Web visitor can also view any file on the server whose Access Control List (ACL) allows access by Web visitors and whose name the visitor knows or guesses.

Please note, however, that the Web visitor cannot change, delete, or add any files.

CAUSE

The ViewCode.asp tool does not restrict which files a visitor to a Web site can view.

RESOLUTION

To resolve this problem, obtain the latest service pack for Site Server 3.0. For additional information, please see the following article in the Microsoft Knowledge Base:

Q219292 How to Obtain the Latest Site Server 3.0 Service Pack

WORKAROUND

Remove all copies of ViewCode.asp from the production server, or set the ACLs for them so that only the appropriate users can use them.

NOTE: Per normal security practices, the ACLs on the server should always be set to enable Web visitors to view only the files they need anyway, and to deny access to all others.

STATUS

This problem was first corrected in Site Server 3.0 Service Pack 3.

MORE INFORMATION

Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the fix.

This fix corrects the vulnerability by restricting ViewCode.asp to viewing only files in the current directory. However, Web site operators who do not have a need to provide the file viewing capability may choose to remove all copies ViewCode.asp from the server altogether.

Environment in Which ViewCode.asp May Cause Security Risk

The security exposure is limited to the situation in which all of the following is true:

Servers that have the sample sites installed.

The sample sites are not protected by ACLs.

Sensitive data exists on the same logical drive as ViewCode.asp.

Files containing sensitive data allow the "Everyone" user group read or greater access in the ACL.

Malicious users know the path and filename of files that contain sensitive data.

Installing the Fix

The fix installation program, Update.exe, automatically replaces existing ViewCode.asp files.

NOTE: Common_viewcode.asp is used to replace the "common" ViewCode.asp file in the six directories listed below. PubSys_viewcode.asp is used to replace the existing ViewCode.asp in the Publishing sample (\Microsoft Site Server\SiteServer\Publishing).

Versions and Locations of ViewCode.asp

A complete installation of Site Server 3.0 will install various copies of ViewCode.asp in different directories. Therefore, if you to choose to remove it, perform a full-disk search to locate all copies.

The following six directories contain the same version of ViewCode.asp:

\Microsoft Site Server\Sites\Knowledge\Membership\Inspired
\Microsoft Site Server\Sites\Knowledge\Membership\Inspiredtutorial
\Microsoft Site Server\Sites\Samples\Knowledge\Membership\Inspired
\Microsoft Site Server\Sites\Samples\Knowledge\Membership\Inspiredtutorial
\Microsoft Site Server\Sites\Samples\Knowledge\Push
\Microsoft Site Server\Sites\Samples\Knowledge\Search

However, the Publishing sample (\Microsoft Site Server\SiteServer\Publishing) contains a different version of ViewCode.asp that is customized to work specifically with the Publishing samples, which allows the samples to work as properly, but prevents a malicious user from gaining access to files outside of the sample sites.

NOTE: ViewCode.asp should always have the ACL permissions set to Administrators only, or to a group that is limited to Web content developers.

Code Changes in the Fix

The issue is that ViewCode.asp uses "server.mappath" without any restrictions on what is passed to this function. Because ViewCode.asp allows a user to enter a path and filename, a malicious user could gain access to, and read (read-only), any known file on the same logical disk as ViewCode.asp that is not protected (no ACLs set for it).

The code added to the InitFileReading function in ViewCode.asp is as follows (these lines of code may wrap):


'Limit function to .asp and .vbo files in current and child directories
If instr(1, strVirtualPath, "..", 1) <> 0 Then
    Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
    fFileError = TRUE
ElseIf instr(1, strVirtualPath, ".asp", 1) = 0 And instr(1, strVirtualPath, ".vbo", 1) = 0 Then
    Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
    fFileError = TRUE
ElseIf Left( strVirtualPath, 1) = "/" or Left( strVirtualPath, 1) = "\" Then
    If instr(1, strVirtualPath, "/siteserver/publishing", 1) = 0 And instr(1, strVirtualPath, "/sites/knowledge/membership", 1) = 0 And instr(1, strVirtualPath, "/sites/samples/knowledge", 1) = 0 Then
        Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
        fFileError = TRUE
    End If
End If

For the Publishing sample sites, a slightly different modification is required (these lines of code may wrap):


'Limit function to .asp, .vbo, .inc, .txt, and .prf files in current, cmsample, fpsample, and child directories
If instr(1, strVirtualPath, "..", 1) <> 0 Then
    Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
    fFileError = TRUE
ElseIf instr(1, strVirtualPath, ".asp", 1) = 0 And instr(1, strVirtualPath, ".vbo", 1) = 0 And instr(1, strVirtualPath, ".inc", 1) = 0 And instr(1, strVirtualPath, ".txt", 1) = 0 And instr(1, strVirtualPath, ".prf", 1) = 0 Then
    Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
    fFileError = TRUE
ElseIf Left( strVirtualPath, 1) = "/" or Left( strVirtualPath, 1) = "\" Then
    If instr(1, strVirtualPath, "/siteserver/publishing", 1) = 0 And instr(1, strVirtualPath, "/cmsample", 1) = 0 And instr(1, strVirtualPath, "/fpsample", 1) = 0 Then
        Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
        fFileError = TRUE
    End If
End If

Purpose of ViewCode.asp & Related MSDN Sample

The purpose of ViewCode.asp is to show the Web content developer the code that makes the sample sites work. This type of function is also used on the Web author's workshop on the MSDN site (http://msdn.microsoft.com/workshop/c-frame.htm#/workshop/author/default.asp).

If you base your content on one of the sample sites, remove the buttons (links) that load the code into ViewCode.asp to display it.

About Installing Samples & Documentation on Production Servers

Most Site Server users do not install the sample sites on their production servers, just as they do not install the documentation. They are not typically needed on the production servers, as they use additional disk space, and because of the fact that they are just samples, they may not be secure as needed in a production environment.

If you have a need to include the samples on a production server, however, consider restricting access to them to your developers only.

Additional References

Please see the following reference for more information related to this issue:

Microsoft Security Bulletin MS99-013, "Patch Available for ViewCode.asp Vulnerability" (The Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-013.asp.

For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security.

Additional query words: patch hotfix hot fix qfe default setup set up viewcode utility hacker breach read see source

Keywords : SS3SP3Fix
Version : winnt:3.0
Platform : winnt
Issue type : kbbug