[10899] in bugtraq
Re: IIS 4.0 admin bug
daemon@ATHENA.MIT.EDU (Microsoft Product Security Respons)
Thu Jun 24 17:27:30 1999
Message-Id: <D1A11CCE78ADD111A35500805FD43F5801979189@RED-MSG-04>
Date: Thu, 24 Jun 1999 11:08:16 -0700
Reply-To: Microsoft Product Security Response Team <secure@MICROSOFT.COM>
From: Microsoft Product Security Response Team <secure@MICROSOFT.COM>
X-To: "azz@josstix.demo.co.uk" <azz@josstix.demo.co.uk>
To: BUGTRAQ@NETSPACE.ORG
Adam,
The passwords are encrypted in the metabase. However, if you're viewing
them as an administrator, they're decrypted on the fly as part of the
display process. That's probably why they seemed to be plaintext. Cheers,
Secure@microsoft.com
-----Original Message-----
From: Adam Sampson [mailto:azz@JOSSTIX.DEMON.CO.UK]
Sent: Monday, June 21, 1999 3:19 PM
To: BUGTRAQ@NETSPACE.ORG
Subject: IIS 4.0 admin bug
I've been doing some work with automatic administration of IIS 4.0 on
Windows NT 4/SP4 over the last couple of days, and noticed a security
problem.
If I create a IISWebVirtualDir (sorry, don't have the machine in front of me
at the moment, so my spellings/names might be wrong), I can set a username
and password with which the directory will be read (which is handy for
reading directories that the webserver otherwise wouldn't have access to).
The IIS Programmer's Guide states that the password is stored encrypted in
the metabase, when it's actually stored as plaintext---a security problem if
you can dump the metabase data by other means, as you'll get plaintext valid
user IDs and passwords.
This seems like MS trying to cover up an obvious security problem by
incorrect documentation. Of course, given the other hoops I've needed to
jump through to get what should be a relatively simple admin task done
automatically, I wasn't really suprised.
--
Adam Sampson
azz@gnu.org
