[10891] in bugtraq
IIS 4.0 admin bug
daemon@ATHENA.MIT.EDU (Adam Sampson)
Thu Jun 24 12:38:52 1999
Mail-Followup-To: bugtraq@netspace.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990621231908.D3897@josstix.demon.co.uk>
Date: Mon, 21 Jun 1999 23:19:08 +0100
Reply-To: Adam Sampson <azz@JOSSTIX.DEMON.CO.UK>
From: Adam Sampson <azz@JOSSTIX.DEMON.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
I've been doing some work with automatic administration of IIS 4.0 on
Windows NT 4/SP4 over the last couple of days, and noticed a security
problem.
If I create a IISWebVirtualDir (sorry, don't have the machine in front of me
at the moment, so my spellings/names might be wrong), I can set a username
and password with which the directory will be read (which is handy for
reading directories that the webserver otherwise wouldn't have access to).
The IIS Programmer's Guide states that the password is stored encrypted in
the metabase, when it's actually stored as plaintext---a security problem if
you can dump the metabase data by other means, as you'll get plaintext valid
user IDs and passwords.
This seems like MS trying to cover up an obvious security problem by
incorrect documentation. Of course, given the other hoops I've needed to
jump through to get what should be a relatively simple admin task done
automatically, I wasn't really suprised.
--
Adam Sampson
azz@gnu.org
