Web servers using Microsoft Internet Information Server 3.0 and 4.0 software are vulnerable to a bug that can expose the source code to scripts on certain Web sites, and could reveal sensitive information such as passwords stored in the script.
The bug occurs when specific code is attached to the end of an IIS active server page URL. Once the code is appended after the "asp" and the URL is entered into the navigation bar, the browser will then show script to the page's source code. Besides active server pages, some sites with URLs ending with "cfm" are also affected.
The HTML coding of Web pages is normally viewable through the "page source" or "document source" commands found on most browsers. But script source code is not supposed to be viewable, developers say. One reason is that scripts can interact with corporate databases and may contain user names and passwords to those databases.
"Hackers would love to get hold of this information because it will tell them exactly what they can do to cause all sorts of havoc on a Web site," Alan Moses, a Web site developer who administrates an IIS 4.0 Web server, wrote in an email message. "With very little experience or effort a hacker could execute commands on the server, possibly downloading secure or valuable data, or destroy data and files."
Microsoft acknowledged that it was notified about the problem two days ago and has since been working on a fix. Microsoft has already developed a so-called hot fix for servers using 3.0, and posted a workaround today. A "hot fix" is a program that changes another program to fix it. In other words, if a program was a road, then a hot fix would fill in the potholes.
However, one Microsoft developer maintained that the glitch is not universal, but rather depends on how a server is configured.
"When you use a browser to connect to a site, if you know the name of the file and the file allows you some sort of access, either read or execute, then it's possible for you to see what's in the file," said Windows NT product manger Karan Khanna.
As a fix to prevent the source code from being accessed, Khanna suggested: "Just update your script map in the registry and then apply the hot fix."
Similar to the IIS 3.0 "dot" glitch reported last year by CNET NEWS.COM, the current security hole can be found by simply adding "::$DATA" to the end of the active server page URL. Thus, changing "http://www.domainname.com/default.asp" to "http://www.domainname.com/default.asp::$DATA" will, in certain instances, reveal the source code that has been designated off-limits by Web site administrators.
Last week, similar source code bugs were found to affect server software by Netscape Communications, O'Reilly & Associates, and Sun Microsystems. All three companies blamed the Windows operating system for the security hole.
According to Moses, the scripts can be viewed using Internet Explorer 3.0 and 4.0 browsers. However, Netscape's Navigator 3.0 browser does not recognize the code, and 4.0 users need to download the files and open them.
Microsoft says the glitch will not affect all sites using IIS 3.0 and 4.0. Khanna noted that no one can develop the perfect operating system.
"If you look at security, it's mathematically impossible to make an OS 100 percent secure," explained Khanna. "Security is like a journey, not a destination."
NEWS.COM reporter Paul Festa contributed to this report.