Bug exposes script source code

Server software vendors and Windows operating system maker Microsoft are pointing fingers at each other after the discovery of a bug that leaves Web site scripts' source code vulnerable to exposure.

The bug allows users who add a particular character or string of characters to the end of a Web page URL or script URL to view the source code of that script. While the HTML coding of Web pages is normally viewable through the "page source" or "document source" commands found on most browsers, script source code is not supposed to be viewable. One reason is that scripts can interact with corporate databases and may contain user names and passwords to those databases.

Microsoft last year discovered a similar bug in its own Web server software, Internet Information Server 3.0.

But the bug did not surface for other Web server software until San Diego Source, the online arm of business news journal the San Diego Daily Transcript, published a story yesterday about its own discovery of the bug.

Netscape Communications, whose Enterprise server is vulnerable to the bug, said its engineers were testing a fix that it planned to post to its Web site next week.

The company also said the fault was not with its own products, but with Microsoft's.

"This is a bug that only appears on Windows, and it is not specific to our products," said Scott Johnston, group product manager for Netscape's Enterprise and Application servers.

O'Reilly & Associates, maker of WebSite server software, which also is vulnerable, laid the blame with Windows as well.

"The problem stems from the fact that the operating system accepts certain extra characters in the URL, and it really shouldn't accept them," said WebSite product manager Martin Ogawa.

Microsoft, which has long since mended the similar security hole in its own IIS Web site software, countered that the other software vendors were shirking responsibility for their products.

"It's not a bug in Windows that's doing anything," said Jason Garms, product manager for Windows NT security. "There are a number of bugs that only happen on one platform, and it's the responsibility of the vendor to understand the platform that they're running on. An application vendor is responsible for the security of their applications."

Netscape did say that by posting a fix it was taking responsibility for its software--even though it still blamed the problem on Microsoft's operating system.

The problem, according to Garms, is that the applications are failing to read URLs properly. It is the application and not the operating system, he said, that is responsible for breaking up the different parts of the Web address and deciding whether or not to grant access to the user who submits it.

"None of that process really happens at the file system level," Garms said. "So I'm not sure how this is anything other than an application error."

Whether the bug belongs to Windows or the applications running on it, the threat to sensitive information may not be very serious.

"It's fairly benign," said Netscape's Johnston, who noted that scripts are most often used for such mundane tasks as automating a graph or animating a graphic on the page. But occasionally the script could be pulling information off a corporate database, he said, and that could mean the script has written into it a user name and password that an intruder could find.