[NPL] Serious Security Hole affecting Tango in NT/IIS
From: Eric Weidl (weidl@INTERSITES.COM)
Subject: URGENT: Serious Security Hole affecting Tango in NT/IIS
Hello,
We have just become aware of a serious security hole in Microsoft's
Internet Information Server product. This bug can seriously compromise the
security of any web server running IIS including Tango application files.
As a developer of web-based applications, Intersites takes this matter very
seriously. We have already notified our clients of the problem and taken
corrective action to protect TAFs on our servers.
In essence, the bug will allow anyone to view the source of any script
(i.e. any TAF) running on a web server. As you are probably aware it is
easy to view the source code of any static HTML page with a web browser,
but it was not possible to view the source code of an application which
runs on the server. At least it wasn't believed to be possible. The bug in
IIS makes it possible. Because web-based applications typically have
passwords embedded in them, having access to the source code can lead to a
serious security breach.
Unless you take protective action, this bug means that anyone on the web
can download your TAF or QRY documents and then open them in the Tango
Editor.
If you want more information on the bug and how to protect your Tango
files, feel free to call (630-262-8663) or email us
(support@intersites.com). Microsoft has more information on the problem at
their security web site (http://www.microsoft.com/security/), then click on
Information by Date on the left column, then view the report on IIS
released today, July 2. EveryWare has been notified about the problem and
are taking the necessary precautions.
Eric Weidl, weidl@intersites.com, (888) 456-SITE, (630) 262-8663
Intersites, Inc. - http://www.intersites.com/ Developers of
SiteSolution(tm) - http://www.sitesolution.net/