1. Introduction
Microsoft IIS Translate f: ASP/ASA Source Disclosure (IIS 5.1) is a vulnerability affecting older versions of Microsoft’s web server software. It allows an attacker to view the source code of ASP and ASA files when they are stored on a FAT partition. This can expose sensitive information like usernames and passwords used for database connections, potentially leading to data breaches or system compromise. Systems running IIS 5.1 with applications using ASP/ASA files on FAT partitions are at risk. A successful exploit could result in confidentiality loss due to source code exposure.
2. Technical Explanation
The vulnerability occurs because IIS 5.1 does not properly handle requests for ASP/ASA files stored on a FAT partition, revealing the raw source code instead of executing it. An attacker can simply request an ASP or ASA file to view its contents. The CVE associated with this issue is CVE-2000-0778. For example, if an application stores a database connection string in an ASP file on a FAT drive, an attacker could retrieve that string by requesting the file via HTTP.
- Root cause: Incorrect handling of file requests when files are located on a FAT partition.
- Exploit mechanism: An attacker sends a standard HTTP request for an ASP or ASA file hosted on a FAT volume. The server returns the source code instead of processing it. Example request:
GET /path/to/file.asp HTTP/1.1 - Scope: Microsoft IIS 5.1 is affected. Other versions are not known to be vulnerable.
3. Detection and Assessment
You can confirm if a system is vulnerable by checking the file system where ASP/ASA files are stored, or using vulnerability scanners.
- Quick checks: Check the IIS configuration to determine which partitions applications are hosted on. Use Windows Explorer to verify the drive type of application directories.
- Scanning: Nessus plugin ID 81d0b19f can detect this vulnerability. SecurityFocus BID 14764 may also identify affected systems.
- Logs and evidence: IIS logs will not directly indicate this vulnerability, but monitoring for unusual file requests to ASP/ASA files could be helpful. Event IDs are unlikely to be specific.
dir /a C:inetpubwwwroot4. Solution / Remediation Steps
The recommended solution is to install the web server on an NTFS partition. This prevents the source code disclosure vulnerability.
4.1 Preparation
- Ensure sufficient disk space is available on an NTFS partition. A roll back plan involves restoring the backup if issues occur during the migration.
- A change window should be planned with approval from application owners.
4.2 Implementation
- Step 1: Stop the World Wide Web Publishing Service (W3SVC) using the Services control panel or command line:
net stop w3svc - Step 2: Move all ASP/ASA files and associated directories from the FAT partition to a new location on an NTFS partition.
- Step 3: Update IIS configuration to point to the new directory structure on the NTFS partition using IIS Manager.
- Step 4: Start the World Wide Web Publishing Service (W3SVC):
net start w3svc
4.3 Config or Code Example
Before
C:inetpubwwwroot (FAT partition)After
D:websites (NTFS partition)4.4 Security Practices Relevant to This Vulnerability
Practices such as least privilege and secure defaults can help mitigate the impact of this vulnerability type. For example, limiting access to web server directories reduces the potential damage from source code disclosure. Input validation is not directly applicable here but is a good general practice.
- Practice 1: Least privilege – restrict file system permissions to only authorized users and groups.
- Practice 2: Patch cadence – Regularly update IIS with security patches, although this specific vulnerability is addressed by configuration change rather than patching.
4.5 Automation (Optional)
Automation scripts are not recommended for this particular issue due to the complexity of IIS configuration and potential disruption. Manual migration is safer.
5. Verification / Validation
Confirm the fix by attempting to access an ASP/ASA file on the original FAT partition. You should receive an error or a blank page instead of source code.
- Post-fix check: Attempt to request
http://yourserver/path/to/file.asp. Expected output: A 404 Not Found error, or a generic IIS error message. - Re-test: Re-run the Nessus scan (plugin ID 81d0b19f) to confirm that the vulnerability is no longer detected.
- Monitoring: Monitor IIS logs for any unexpected errors related to file access or ASP/ASA processing.
curl -I http://yourserver/path/to/file.asp6. Preventive Measures and Monitoring
Regular security baselines and asset management can help prevent similar issues. For example, ensuring that all web servers are configured according to a secure baseline standard will reduce the risk of misconfigurations like hosting applications on FAT partitions.
- Baselines: Update your IIS hardening baseline to include requirements for NTFS file systems.
- Pipelines: Implement checks in deployment pipelines to verify that application files are not being deployed to FAT partitions.
- Asset and patch process: Regularly review the configuration of web servers to identify any potential vulnerabilities or misconfigurations.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Potential downtime during the file move and IIS configuration update. Mitigation: Plan the migration during off-peak hours.
- Roll back: 1) Restore the backup of website content to the original FAT partition. 2) Revert IIS configuration settings to point back to the FAT partition. 3) Restart the World Wide Web Publishing Service (W3SVC).
8. References and Resources
- Vendor advisory or bulletin: http://www.nessus.org/u?81d0b19f
- NVD or CVE entry: CVE-2000-0778
- Product or platform documentation relevant to the fix: No specific documentation available for this legacy issue.