The latest Microsoft security bulletin (which happen all too often) details an exploit in Internet Information Server 4 and Site Server. Check this IIS 4 Exploit knowledebase article on the MS website (be careful using Netscape though, the M$ site is Netscape booby-trapped.) This latest exploit was discovered NOT by Microsoft but by the folks at Webtrends who make a living selling software that formats webserver logs into fancy reports.M$ is doing the right thing by documenting the exploits and taking corrective action, that is commendable. However, a new exploit pops up every other day, and that is not acceptable! This latest II4 exploit enables users to install some development tools available with IIS (which is free on the M$ website) to VIEW ANY FILES on the webserver to which they have access. This means if you utilize the IUSR_COMPNAME account, anything to which that user has rights from the NT ACL(which with fabulous NT is in the EVERYONE group and has rights to just about everything by default) can be VIEWED by that user. All directories, scripts, you name it. The files cannot be modified but can be viewed, this is a serious exploit. You can hack apart IIS and view all the source code to web apps, records, database files, or anything else present with a tool available free from Microsoft. Now that is web server service. Here is the actual security bulletin M$ mails out to MCSEs and subscribers: The following is a Security Bulletin from the Microsoft Product Security Notification Service.Update to Microsoft Security Bulletin (MS99-013)------------------------------------------------Patches Available for File Viewers VulnerabilityOriginally Posted: May 7, 1999Updated: May 19, 1999Summary=======This is an update to Microsoft Security Bulletin MS99-013. The purpose ofthe update is to advise customers of the availability of patches thateliminate a vulnerability that occurs in some file viewers included inMicrosoft (r) Internet Information Server and Site Server. The vulnerabilitycould allow a web site visitor to view, but not to change, files on theserver, provided that they knew or guessed the name of each file and hadaccess rights to it based on Windows NT ACLs.Issue=====Microsoft Site Server and Internet Information Server include tools thatallow web site visitors to view selected files on the server. These are installed by default under Site Server, but must be explicitly installed under IIS. These tools are provided to allow users to view the source code of sample files as a learning exercise, and are not intended to be deployed on production web servers. The underlying problem in this vulnerability is that the tools do not restrict which files a web site visitor can view. It is important to note several important points:
- These file viewers are not installed by default under IIS.
- The web site visitor would need to know or guess the name of each file they wished to view.
- This vulnerability only allows a web site visitor to view files, not to change them or to create new ones.
- The file viewers are subject to normal Windows NT file permission ACLs. A web site visitor could only use the file viewers to read files for which they have read access.
- The viewers can only be used to view files on the same disk partition as the currently-displayed web page. Databases such as those used by e-commerce servers are typically stored on a different physical drive, and these would not be at risk. While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing this bulletin to allow customers to take appropriate action to protect themselves against it.Affected Software Versions ==========================
- Microsoft Site Server 3.0, which is included with Microsoft Site Server 3.0 Commerce Edition, Microsoft CommercialInternet System 2.0, and Microsoft BackOffice Server 4.0 and 4.5
- Microsoft Internet Information Server 4.0 What Microsoft is Doing=======================Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do.Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service.Microsoft has published the following Knowledge Base (KB) article on this issue:
- Microsoft Knowledge Base (KB) article Q231368,Solution Available for File Viewers Vulnerability,http://support.microsoft.com/support/kb/articles/q231/3/68.asp.
- Microsoft Knowledge Base (KB) article Q231656,Preventing Viewcode.asp from Viewing Known Server Files,http://support.microsoft.com/support/kb/articles/q231/6/56.asp.(Note: It might take 24 hours from the posting of the bulletin for the updates to the KB articles to be visible in the Web-based Knowledge Base.)What Customers Should Do========================Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. The patch can be found at:
- Internet Information Server:ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/
- Site Server:ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/hotfixes-postsp2/Viewcode-fix/NOTE: The above URLs have been word-wrapped for readability.Microsoft has provided a checklist that customers can use to ensure that their web servers have been properly secured. This checklist is available at http://www.microsoft.com/security/products/iis/checklist.aspMore Information================Please see the following references for more information related to this issue.
- Microsoft Security Bulletin MS99-013,Patches Available for File Viewers Vulnerability(The Web-posted version of this bulletin),http://www.microsoft.com/security/bulletins/ms99-013.asp.
- Microsoft Knowledge Base (KB) article Q231368,Solution Available for File Viewers Vulnerability,http://support.microsoft.com/support/kb/articles/q231/3/68.asp.
- Microsoft Knowledge Base (KB) article Q231656,Preventing Viewcode.asp from Viewing Known Server Files,http://support.microsoft.com/support/kb/articles/q231/6/56.asp.Obtaining Support on this Issue===============================If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp.Acknowledgments===============Microsoft acknowledges WebTrends (www.webtrends.com) for discovering this vulnerability and reporting it to us.Pay attention if you use NT and or IIS. Security flaws and exploits will always be around, in any OS, but the Microsoft list is getting a little long and alot ridiculous.
Chatter
3 hours 17 min ago
7 hours 10 min ago
22 hours 48 min ago
2 days 16 hours ago
3 days 7 hours ago
6 days 34 min ago
1 week 7 hours ago
2 weeks 6 days ago
3 weeks 1 day ago
4 weeks 1 day ago