Web Application Development Advice & How To
Active Server Pages Development Advice & How To

Shining Star Services LLC
Shining Star Services
ASP.net Articles
HTML Tutorial
Auto-select an Element from a Menu or Scrolling List & Save Keystrokes!
ASP Driven DHTML Slider Menus REVISITED One Year Later! Part II
ASP Driven DHTML Slider Menus
ASP Driven HTML Outlines
Reusing Code with ASP Include Files and Subroutines
Hacker Query Check
.htr IIS Security Issue
Databases, Cookies
Functions to Open a Database Connection and Record Set
Setting Up and Using OraSession to Manage Your Oracle Database Objects
Storing Non-Durable Data for Cookie-less Sessions
Smart Popups
Javascript: Validate Numeric Fields
Javascript Confirm Form Submission
Javascript Dynamic Text Area Counter
Javascript: Check All and Uncheck All Check Boxes
Javascript Field Validations -- Client Side Scripting
Tree Select Demo
Adobe Extension Manager
Scandisk & Defrag Pointers
Standards & Style
Setting Up Your Own ASP Development Templates
Creating a Project Template for Estimations of Time, Tasks, and Resources
To Host or Not To Host
ASP Naming Conventions
HTML Naming Conventions & Visual Interdev HTML Generation
Working with and in spite of the Visual Interdev Design Mode
Commenting Your ASP Source Code
Reader Letters

Articles Home

Shining Star Services

.htr IIS Security Issue
By Nannette Thacker - 04/16/2001

Like me, you and your customers may pay a monthly fee to your hosting provider for your ASP web site. And, like me, you may assume that your hosting provider keeps up on all issues needed to run a fine-tuned, IIS Server, including paying attention to Microsoft security postings and implementing any needed hot fixes.

However, be warned that this may not be the case and even with their best intentions, something may slip through the cracks!

Two days ago, I received an email from another ASP developer, Greg Owen, that my site ID and password could easily be seen and hacked by anyone, due to a Microsoft security issue that was announced in June/July of 2000!!

The .htr security issue will allow a hacker to see your global.asa file and any .asp source code on your web site. This will allow them to access your database ID and password as contained in your source code.

With Visual Interdev or SQL Enterprise Manager, an unscrupulous hacker can access all of your data, destroying records, changing values, viewing private data, or anything!

I contacted my hosting provider via phone and email. Within two hours the hot fix was in place on the 4 dedicated and 2 cluster servers. Apparently this hot fix involves disabling the .htr extensions within IIS. Once this is done, those trying to access the files by exploiting the security problem will receive a "Page Not Found" error.

Here is my hosting provider's response:

"Here are the 2 hot fixes you need for the security hole for IIS 4 and 5
htrdos4i.exe is for IIS 4
q267559_w2k_sp2_x86_en.exe is for IIS 5"

I checked several other ASP web sites, and some had the fix in place, and others did not. So please check YOUR web site and find out if the hot fixes have been implemented on your server.

Thanks to Pedro Paqueno, of Aspin.com who provided me this information about the hot fix:

In July 17, 2000, these security updates were released:
- IIS 4.0:
- IIS 5.0:

Pedro also says:

"At any rate, I wouldn't rely on any host to keep me secure. I would suggest that you subscribe yourself to Microsoft's security alert email listserv. You can subscribe at: http://www.microsoft.com/security/services/bulletin.asp They send out any alert any time there is a security hole found... I get a couple emails a month!"

So based on what Pedro says above, I would suggest you subscribe to the security bulletins, then as you receive them, send them to your hosting provider and ask them if the patch in reference has been implemented on your servers (if you have the same type of account that I do, where you don't have access to IIS yourself).

(Added note: The CEO of my hosting provider wrote me a heartfelt apology and assured me that steps were in place to make sure this did not happen again. I still consider my hosting provider to be one of the best out there.)


ShiningStar.net | ShiningStarSingles.com | Christian911.com