Talk With an Expert

Security Holes in ISAPI Extensions

Security Holes in ISAPI Extensions (PDF, 1.66MB)Published: 19 Sep, 2001
Created by:
Chew HwaiGeeng

Internet Information System 5.0 (IIS) is the web server that is used for Windows 2000. It allows a Windows2000 server to host both static websites, as well as dynamic content. In essence, IIS is nice to use, especially for beginner (like me) to start up with since the graphical interface and wizards are easy to use, easy to install, easy to maintain, etc. The greatest part of IIS5 is its scalability to plug in ISAPI extension as additional modules, just like what an Active Server Page (ASP) does. The ability to use COM in ASP or any ISAPI extension that supports Component Object Model (COM) further enhance the usage of IIS5 too. For instance connecting a database with Active Data Object (ADO) from ASP. While all these seem great, they create a lot of problems as well, especially security problems. In fact, all ISAPI extensions are external applications which come as DLLs. They are not part of the web service and a small mistake in these external applications may cause security holes to IIS. In this assignment, I will mainly discuss the ISAPI extensions and the security holes that are associated with them. Please also note that IIS is referred as IIS version 5 in this assignment.