Article ID: 231656 - View products that this article applies to.
This article was previously published under Q231656
This article has been archived. It is offered "as is" and will no longer be updated.
Default installations of Microsoft Site Server include ViewCode.asp, a tool provided so that users can view files in the sample sites. However, a Web visitor can also view any file on the server whose Access Control List (ACL) allows access by Web visitors and whose name the visitor knows or guesses.
Please note, however, that the Web visitor cannot change, delete, or add any files.
The ViewCode.asp tool does not restrict which files a visitor to a Web site can view.
To resolve this problem, obtain the latest service pack for Site Server 3.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/219292/EN-US/ )How to Obtain the Latest Site Server 3.0 Service Pack
Remove all copies of ViewCode.asp from the production server, or set the ACLs for them so that only the appropriate users can use them.
NOTE: Per normal security practices, the ACLs on the server should always be set to enable Web visitors to view only the files they need anyway, and to deny access to all others.
Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the fix.
This fix corrects the vulnerability by restricting ViewCode.asp to viewing only files in the current directory. However, Web site operators who do not have a need to provide the file viewing capability may choose to remove all copies ViewCode.asp from the server altogether.
Environment in Which ViewCode.asp May Cause Security RiskThe security exposure is limited to the situation in which all of the following is true:
Installing the FixThe fix installation program, Update.exe, automatically replaces existing ViewCode.asp files.
NOTE: Common_viewcode.asp is used to replace the "common" ViewCode.asp file in the six directories listed below. PubSys_viewcode.asp is used to replace the existing ViewCode.asp in the Publishing sample (\Microsoft Site Server\SiteServer\Publishing).
Versions and Locations of ViewCode.aspA complete installation of Site Server 3.0 will install various copies of ViewCode.asp in different directories. Therefore, if you to choose to remove it, perform a full-disk search to locate all copies.
The following six directories contain the same version of ViewCode.asp:
However, the Publishing sample (\Microsoft Site Server\SiteServer\Publishing) contains a different version of ViewCode.asp that is customized to work specifically with the Publishing samples, which allows the samples to work as properly, but prevents a malicious user from gaining access to files outside of the sample sites.
NOTE: ViewCode.asp should always have the ACL permissions set to Administrators only, or to a group that is limited to Web content developers.
Code Changes in the FixThe issue is that ViewCode.asp uses "server.mappath" without any restrictions on what is passed to this function. Because ViewCode.asp allows a user to enter a path and filename, a malicious user could gain access to, and read (read-only), any known file on the same logical disk as ViewCode.asp that is not protected (no ACLs set for it).
The code added to the InitFileReading function in ViewCode.asp is as follows (these lines of code may wrap):
For the Publishing sample sites, a slightly different modification is required (these lines of code may wrap):
Purpose of ViewCode.asp & Related MSDN SampleThe purpose of ViewCode.asp is to show the Web content developer the code that makes the sample sites work.
If you base your content on one of the sample sites, remove the buttons (links) that load the code into ViewCode.asp to display it.
About Installing Samples & Documentation on Production ServersMost Site Server users do not install the sample sites on their production servers, just as they do not install the documentation. They are not typically needed on the production servers, as they use additional disk space, and because of the fact that they are just samples, they may not be secure as needed in a production environment.
If you have a need to include the samples on a production server, however, consider restricting access to them to your developers only.
Additional ReferencesPlease see the following reference for more information related to this issue:
For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security
Article ID: 231656 - Last Review: October 21, 2013 - Revision: 2.3