A one-two punch of Web server security breaches of late shows that cavalier placement of scripts, passwords, and credit card data can unexpectedly allow sensitive information to fall into nearly anyone's hands.
No serious damage has been reported from the security lapses, and patches and fixes were quickly developed and made available to users earlier this month. Yet the permeability of Web servers, particularly on Microsoft Corp.'s Windows NT servers, forms a strong reminder to corporations and Internet-commerce concerns that security should not be an afterthought when setting up servers.
"There are things that people put on their Web server that they believe that nobody can see, and now in the last couple of weeks it has been shown that there are a couple of holes that make it possible for people to see things," said Dave Winer, president of UserLand Software, in Burlingame, California. "It gets scary when you realize that people put things in there that could unlock other resources."
Large, commerce-oriented sites are more likely to deploy on Unix platforms, while NT is more common for intranets, said Brian Jaffe, director of network and client services at Bantam Doubleday Dell Publishing in New York.
"My guess is that most people are doing IIS (Internet Information Server) for intranet," Jaffe said. "Over time there have been a variety of concerns with NT products. It's probably an indication that the product needs to mature, particularly if it's going to be used on the public Internet."
The so-called "dot" bug surfaced in late June on sites running Windows NT and the bundled Internet Information Server (IIS). By placing an extra period at the end of Active Server Pages (ASP) URLs, script source code becomes available for viewing. Microsoft patched the bug for IIS in February 1997, but it turns out it also affects such Web servers on NT as those from O'Reilly & Associates, Sun, and Netscape.
"Was there adequate notice to the other server vendors when this hole was detected and closed in Microsoft's server?" Winer asked. "Everybody who is running a Windows-based Web server should be looking at their procedures and thinking they may have to do a little bit better."
Days after the "dot" bug resurfaced, a new -- yet similar -- bug, the "::$DATA" bug, was shown to offer access to ASP scripting information if ::$DATA is added to the URL of a page on a server running IIS. Microsoft posted a fix to the bug on July 2.
"The thing that both loopholes have in common is a way of tricking a Web server into thinking that one of the ASP is to be returned, as if it were just a file on the hard disk," Winer said. "It turns out it's remarkably easy to do that."
Because of such susceptibility, Web server vendors recommend that sensitive information not be included in ASP scripts.
"It varies from site to site, but we recommend a three-tier model where all the business logic is in a component and is safe. The scripts just call the component. And use only 'execute' and not 'read' permission to these scripts," said Karan Khanna, security product manager for Windows NT at Microsoft.
The bugs, however, will still expose a programmer's intellectual property in the form of their scripts for others to copy and use, said Dennis Warren, technical support manager at O'Reilly & Associates.
"As we have more and more dynamic pages, the loss of intellectual property becomes more an issue," Warren said. "A lot of people do a lot of work on those."
For Winer at UserLand Software, the issue is a canary in a coal mine for those building Web sites.
"It's the nightmare that everybody who is running a Web server should be up at night worrying about, whether their system has these holes in it," he said.