1. Introduction
The Microsoft IIS / Site Server viewcode.asp Arbitrary File Access vulnerability is a flaw in a default IIS file that can expose unnecessary information about your server’s file system and source code. A malicious user could potentially read any file on the web server’s hard drive, leading to sensitive data disclosure. This affects servers running IIS or Site Server with the vulnerable viewcode.asp file present. Likely impact is high confidentiality loss, low integrity compromise, and moderate availability disruption if exploited for denial of service.
2. Technical Explanation
The vulnerability exists because the viewcode.asp file allows unauthenticated users to request and view source code files on the server. This happens due to insufficient access controls on this default file. Attackers can use a simple HTTP request to retrieve arbitrary files, potentially including configuration files or application source code. The CVE associated with this issue is CVE-1999-0737.
- Root cause: Missing or inadequate access control lists (ACLs) on the viewcode.asp file allowing world-readable access.
- Exploit mechanism: An attacker sends an HTTP request to viewcode.asp with a parameter specifying the path of the desired file. For example,
http://example.com/viewcode.asp?file=/etc/passwdcould attempt to read the /etc/passwd file on a Linux server (if accessible). - Scope: Affected platforms are servers running Microsoft IIS or Site Server with the default viewcode.asp file enabled.
3. Detection and Assessment
Confirming vulnerability requires checking for the presence of the viewcode.asp file and verifying its permissions. A quick check is to attempt accessing it via a web browser.
- Quick checks: Use a web browser to navigate to
http://yourserver/viewcode.asp. If the page displays source code, or prompts for a filename, the file exists and may be vulnerable. - Scanning: Nessus plugin ID 167 can identify this vulnerability. Other scanners may have similar checks.
- Logs and evidence: Check IIS logs for requests to viewcode.asp. Look for unusual file access patterns or attempts to read sensitive files. Event IDs are not typically specific to this issue.
curl -I http://yourserver/viewcode.asp4. Solution / Remediation Steps
The best solution is to remove the viewcode.asp file if it isn’t needed. If required, restrict access using appropriate ACLs.
4.1 Preparation
- Dependencies: None. Roll back plan is to restore the IIS configuration backup.
- Change window needs: A short maintenance window may be required, especially for busy servers. Approval from a system owner is recommended.
4.2 Implementation
- Step 1: Delete the viewcode.asp file from the IIS web root directory. The default location is typically C:inetpubwwwroot.
- Step 2: If deletion isn’t possible, configure access control lists (ACLs) to restrict read permissions on viewcode.asp to only authorized users or groups. Use IIS Manager to modify file permissions.
4.3 Config or Code Example
Before
File Permissions: Everyone - Read & ExecuteAfter
File Permissions: Administrators - Full Control, System - Read & Execute. Remove "Everyone" permissions.4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this type of issue.
- Practice 1: Least privilege – limit access rights to only those necessary for each user or service account, reducing the impact if an account is compromised.
- Practice 2: Secure defaults – avoid using default configurations that may have known vulnerabilities. Regularly review and harden system settings.
4.5 Automation (Optional)
A PowerShell script can be used to check file permissions and remove the viewcode.asp file.
# Check if viewcode.asp exists and has world-readable permissions
$filePath = "C:inetpubwwwrootviewcode.asp"
if (Test-Path $filePath) {
$acl = Get-Acl $filePath
if ($acl.Access | Where-Object {$_.IdentityReference -like "*Everyone*"}) {
Write-Host "Viewcode.asp exists with world-readable permissions. Removing..."
Remove-Item $filePath -Force
} else {
Write-Host "Viewcode.asp exists but does not have world-readable permissions."
}
} else {
Write-Host "Viewcode.asp does not exist."
}5. Verification / Validation
Confirm the fix by verifying that viewcode.asp is no longer accessible or has restricted access.
- Post-fix check: Use a web browser to navigate to
http://yourserver/viewcode.asp. You should receive an error message (404 Not Found) if the file was deleted, or an Access Denied error if permissions were modified. - Re-test: Repeat the quick check from section 3. The page should no longer display source code or prompt for a filename.
- Monitoring: Monitor IIS logs for any attempts to access viewcode.asp, which should now be minimal or non-existent.
curl -I http://yourserver/viewcode.asp6. Preventive Measures and Monitoring
Regular security assessments and baseline configurations can help prevent similar vulnerabilities.
- Baselines: Update your IIS security baseline to include a check for unnecessary files like viewcode.asp and enforce appropriate ACLs. Consider using CIS benchmarks.
- Asset and patch process: Maintain a regular patch cycle for IIS and other server software, applying security updates promptly.
7. Risks, Side Effects, and Roll Back
Deleting viewcode.asp may break functionality if it’s unexpectedly used by an application. Modifying ACLs incorrectly could also disrupt website access.
- Risk or side effect 1: Deleting a required file can cause website errors. Mitigation is to restore the backup configuration.
- Risk or side effect 2: Incorrect ACL changes may block legitimate users. Mitigation is to revert the ACLs to their previous state.
- Roll back:
- Step 1: Restore the IIS configuration from your backup.
- Step 2: Restart the World Wide Web Publishing Service (W3SVC).
8. References and Resources
Links to official advisories and documentation.
- Vendor advisory or bulletin: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/1999/ms99-013
- NVD or CVE entry: CVE-1999-0737