Microsoft server not secure

By Nick Wingfield
February 20, 1997, 1:30 p.m. PT

Update Microsoft's (MSFT) Internet Information Server 3.0 contains a security hole that could potentially expose database passwords and other sensitive information to the public.

Today, Microsoft confirmed that the latest version of its Web server has a glitch in a feature called Active Server Pages that could inadvertently reveal private information to hackers. Active Server Pages allows Web developers to combine scripts with HTML code so that a Web page can display, for example, the correct time when a user accesses the page.

The problem also affects two other scripting features in IIS 3.0, HTML Extension (HTX) and Internet Database Connector (IDC).

Unlike some security holes found in Web servers and other products, the IIS glitch doesn't require an extremely sophisticated hacker to exploit it. When faced with a Web page that uses Active Server Pages, a user need only type a period after the file name in the URL window on a Web browser. (For example, "http://www.mycompany.com/default.asp" would become "http://www.mycompany.com/default.asp.") The contents of a file, potentially including database passwords, would then be displayed through the browser.

"The problem is that if you put a dot at the end of the file name, instead of being executed, [the file] actually gets read to the client by the server," said Jonathan Perera, lead product manager at Microsoft.

Once hackers have the name of a database and its password, they might still be blocked from accessing it by a corporate firewall. Also, the file that is displayed to users won't necessarily display passwords. Still, Microsoft is frantically preparing a fix for the problem that should be available within the next two days.

In the meantime, developers have already come with a software patch that fixes the security hole.

"There's a lot of information that a developer can put into scripts," said Perera. "It's possible to pass a password to a database with scripts. Theoretically, it's possible for a hacker to get the name of a database and password."

Microsoft officials learned of the security problem this morning after developers posted information to various newsgroups and mailing lists about the bug. More than 100,000 copies of IIS 3.0 have been downloaded from Microsoft's Web site, Perera said.

Web developers expressed concern about the security hole, even though firewalls may screen out most intruders from accessing internal company databases.

"We have to remember that hackers are located on intranets also so that if the hacker is within the firewall of the corporate intranet, or if the server is available via some protocol over the Internet, the hacker can perform any malicious acts that the compromised account allows," said Stephen Genusa, vice president of engineering for software developer IRdg.

Another developer was equally concerned that the hole would allow other programmers to copy the source code of Active Server Pages scripts to use on their own pages.

"It's like delivering MS Word with the source code included," said Christoph Wille, a software developer based in Leoben, Austria. "Don't even think about passwords and hackers. You lose a big amount of money when your customers simply have to download the source code from another site that has already bought the software."

This is the second time in recent weeks that the security of Microsoft's Internet products has been in the spotlight.

In late January, a group of hackers called the Chaos Computer Club demonstrated on German television an ActiveX control that trigger unauthorized bank transactions through Intuit's Quicken financial program. Yesterday, Microsoft tried to allay concerns about the security risks of ActiveX by setting up a Web site, [16]Web Executable Security Advisor.