Check: WA000-WI050 IIS6
IIS6 Site:
WA000-WI050 IIS6
(in version v6 r16)
Title
Unused and vulnerable script mappings in IIS 6 must be removed. (Cat I impact)
Discussion
IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to these file types can exploit a stack buffer overflow weakness in the ism.dll, httpodbc.dll, and ssinc.dll.
Check Content
1. Open the IIS Manager > Click on the Web Service Extensions directory. 2. In the right hand pane look for the following web service extensions: Server side includes Internet Data Connector Index Server Web Interface Internet printing .HTR scripting 3. If any of the above service extensions exist and are set to Allowed, right click on it > Select properties > Select the required files. NOTE: If a web service extension is set to Prohibit, this meets the intent of this check. 4. Record the files listed. 5. Right click on the website being review > Select properties > Select Home Directory. 6. Under Application settings select Configuration. 7. Under Application extensions find the file extensions listed below > Select Edit > Ensure the file extension is not mapped to the files noted in step 4 with respect to the specific service extension. Server side includes .shtml, .shtm and .stm Internet Data Connector .idc Index Server Web Interface .htw, .ida and .idq Internet printing .printer .HTR scripting .htr 8. Ensure the following file extensions do not exist under application extensions: .bat, .cmd 9. Query the Web Admin on the listed extensions and the reason for their use. If any of the following Extensions under step 7 match the required files in the allowed status for the respective service extension, this is a finding. If the file extensions .bat or .cmd are present, this is a finding. If a file extension is listed and has no use, this is a finding. NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of particular script mappings. If the site has this documentation, this should be marked as not a finding. NOTE: You may need to perform this check on each sites directory, sub-directories, and virtual direcotries since these can be set at each location.
Fix Text
Remove unused and vulnerable script mappings.
Additional Identifiers
Rule ID: SV-16145r2_rule
Vulnerability ID: V-2267
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |