.htr IIS Security Issue
By Nannette Thacker - 04/16/2001
Like me, you and your customers may pay a monthly fee to your hosting provider for your ASP web site. And, like me, you may assume that your hosting provider keeps up on all issues needed to run a fine-tuned, IIS Server, including paying attention to Microsoft security postings and implementing any needed hot fixes.
However, be warned that this may not be the case and even with their best intentions, something may slip through the cracks!
Two days ago, I received an email from another ASP developer, Greg Owen, that my site ID and password could easily be seen and hacked by anyone, due to a Microsoft security issue that was announced in June/July of 2000!!
The .htr security issue will allow a hacker to see your global.asa file and any .asp source code on your web site. This will allow them to access your database ID and password as contained in your source code.
With Visual Interdev or SQL Enterprise Manager, an unscrupulous hacker can access all of your data, destroying records, changing values, viewing private data, or anything!
I contacted my hosting provider via phone and email. Within two hours the hot fix was in place on the 4 dedicated and 2 cluster servers. Apparently this hot fix involves disabling the .htr extensions within IIS. Once this is done, those trying to access the files by exploiting the security problem will receive a "Page Not Found" error.
Here is my hosting provider's response:
"Here are the 2 hot fixes you need for the security hole for IIS 4 and 5
I checked several other ASP web sites, and some had the fix in place, and others did not. So please check YOUR web site and find out if the hot fixes have been implemented on your server.
Thanks to Pedro Paqueno, of Aspin.com who provided me this information about the hot fix:
In July 17, 2000, these security updates were released:
Pedro also says:
"At any rate, I wouldn't rely on any host to keep me secure. I would suggest that you subscribe yourself to Microsoft's security alert email listserv. You can subscribe at: http://www.microsoft.com/security/services/bulletin.asp They send out any alert any time there is a security hole found... I get a couple emails a month!"
So based on what Pedro says above, I would suggest you subscribe to the security bulletins, then as you receive them, send them to your hosting provider and ask them if the patch in reference has been implemented on your servers (if you have the same type of account that I do, where you don't have access to IIS yourself).
(Added note: The CEO of my hosting provider wrote me a heartfelt apology and assured me that steps were in place to make sure this did not happen again. I still consider my hosting provider to be one of the best out there.)
ShiningStar.net | ShiningStarSingles.com | Christian911.com