DOCUMENT:Q241407
TITLE   :Files on an FTP Server can be Improperly Accessed
PRODUCT :IIS
PROD/VER:4.0
OPER/SYS:WINDOWS NT
KEYWORD :kbbug4.00 kbfix4.00 

-------------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Internet Information Server version 4.0 
-------------------------------------------------------------------------------

SYMPTOMS
========

After you apply the hotfix referenced in the following article in the Microsoft
Knowledge Base:

   Q237987 FTP GET Does Not Work Correctly on UNC Virtual Directories

there is a possibility that files located on a Microsoft FTP server can be viewed
and downloaded regardless of NTFS file or directory permissions.

CAUSE
=====

If the aforementioned hotfix is applied to your IIS 4.0 system or if you have
applied a hotfix with the version number of 0719 through 0722, it is recommended
that you update your system with the security patch mentioned below.

RESOLUTION
==========

A supported fix that corrects this problem is now available from Microsoft, but
it has not been fully regression tested and should be applied only to systems
experiencing this specific problem. If you are not severely affected by this
specific problem, Microsoft recommends that you wait for the next Windows NT
service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services
to obtain the fix. For a complete list of Microsoft Product Support Services
phone numbers and information on support costs, please go to the following
address on the World Wide Web:

   http://www.microsoft.com/support/supportnet/overview/overview.asp

The English version of this fix should have the following file attributes or
later:

   Date      Time                 Size    File name     Platform
   -------------------------------------------------------------
   09/16/99  12:40PM              322KB   asp.dll       x86
   09/16/99  12:38PM              043KB   coadmin.dll   x86
   09/16/99  12:39PM              011KB   ftpctrs2.dll  x86
   09/16/99  12:39PM              080KB   ftpsvc2.dll   x86
   09/16/99  11:49PM              012KB   httpext.h     x86
   09/16/99  12:38PM              018KB   iisadmin.dll  x86
   09/16/99  12:38PM              062KB   iislog.dll    x86
   09/16/99  12:38PM              017KB   infoadmn.dll  x86
   09/16/99  12:38PM              181KB   infocomm.dll  x86
   09/16/99  12:38PM              029KB   iscomlog.dll  x86
   09/16/99  12:39PM              011KB   iwrps.dll     x86
   09/16/99  12:37PM              070KB   metadata.dll  x86
   09/16/99  12:38PM              051KB   nsepm.dll     x86
   09/16/99  12:39PM              015KB   w3ctrs.dll    x86
   09/16/99  12:39PM              224KB   w3svc.dll     x86
   09/16/99  12:38PM              086KB   wam.dll       x86

   09/16/99  03:40PM              537KB   asp.dll       alpha
   09/16/99  03:38PM              076KB   coadmin.dll   alpha
   09/16/99  03:39PM              017KB   ftpctrs2.dll  alpha
   09/16/99  03:40PM              124KB   ftpsvc2.dll   alpha
   09/16/99  03:40PM              028KB   iisadmin.dll  alpha
   09/16/99  03:40PM              110KB   iislog.dll    alpha
   09/16/99  03:40PM              026KB   infoadmn.dll  alpha
   09/16/99  03:40PM              181KB   infocomm.dll  alpha
   09/16/99  03:40PM              297KB   iscomlog.dll  alpha
   09/16/99  03:40PM              017KB   iwrps.dll     alpha
   09/16/99  03:40PM              129KB   metadata.dll  alpha
   09/16/99  03:40PM              051KB   nsepm.dll     alpha
   09/16/99  03:40PM              021KB   w3ctrs.dll    alpha
   09/16/99  03:40PM              377KB   w3svc.dll     alpha
   09/16/99  03:40PM              146KB   wam.dll       alpha

This hotfix has been posted to the following Internet location as Iprftp4i.exe
(x86) and Iprftp4a.exe (Alpha):

   ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/IIS40/
   hotfixes-postSP6/security/IPRFTP-fix/

STATUS
======

Microsoft has confirmed this to be a problem in Internet Information Server 4.0.

MORE INFORMATION
================

To view the build number of IIS installed on the affected system, perform the
following steps:

1. Open Windows NT Explorer.

2. Open the directory where Ftpsvc2.dll is located,
   &amp;lt;system_root&amp;gt;\system32\inetsrv.

3. Right-click on Ftpsvc2.dll.

4. The last four digits of the file version is the build number.

NOTE: The hotfix file version should be 4.02.0724 or higher.

For related information on this problem, please visit the following Microsoft Web
site:

   http://www.microsoft.com/security/bulletins/ms99-039.asp

For additional security-related information about Microsoft products, please
visit the following Microsoft Web site:

   http://www.microsoft.com/security/

Additional query words:
============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.