[4131] in bugtraq
I.I.S and Security - No authentication of scripts.
daemon@ATHENA.MIT.EDU (daragh_malone@TELECOM.IE)
Thu Mar 6 01:51:21 1997
Date: Wed, 5 Mar 1997 16:44:08 GMT
Reply-To: daragh_malone@TELECOM.IE
From: daragh_malone@TELECOM.IE
To: BUGTRAQ@NETSPACE.ORG
This may have be mentioned on the BUGTRAQ mailing list, but I couldn't
find it. The information is supplied as quoted by Chris Borneman.
I've had some problems trying to verify this on the DEC Alpha version
of I.I.S 3.0
--------------------------------------------------------------------
When securing your site based on membership (who you are, not where
you are located), IIS turns to NTFS and the security access associated
with the file. For instance, in IIS you have the ability to say
"Allow Anonymous". This is used in conjuction with the "Anonymous
Logon". The reason is simple, and file that can be accessed by the
account specified in "Anonymous Logon" can be accessed by any Web user
hitting your site.
If the "Anonymous Logon", usually IUSR_machine_name, cannot access the
file, IIS sends back an "access denied, please give your credentials"
allowing either Basic Authentication (clear text), and/or Windows NT
Challenge/Response.
If the credentials match the access to the file in question, the file
is sent. Try this for yourself. Create a directory under your
wwwroot and use the NT Explorer to revoke rights on that directory and
any subdirectory and only allow the SYSTEM and your specific account
access (make sure it isn't the IUSR_machine_name account. Place an
htm file in that directory, then access from Internet Explorer.
You'll be asked to give your user name and password (assuming you
allow Basic Authentication and turn off Windows NT
Challenge/Response).
However, if you do the same for a script, IIS still _executes_ it and
sends back the results. This isn't an issue of "Read" vs. "Execute".
The script isn't readable. The directory I'm dealing with has "Read"
off and "Execute" on. However, the script also shouldn't be
accessible or ran until I provide my credentials, and that is the
SECURITY HOLE. Netscape's Server does this _correctly_, so why not
Microsoft?
The security issues Microsoft posted dealt with file names that caused
the server filtering code to not recognize a file as a script, and
send it to the client just as if it was an HTML document. This is the
"dot" bug, adding extra periods to the end of the file name. While
that was a bug, it really didn't have to do with the "security" aspect
of IIS, as much is misprocessing the information. It of course is
viewed as a security flaw due to the nature of the content. In
reality, it is in my opinion an OS bug, as try the following in a
command prompt DOS box:
TYPE C:\AUTOEXEC.BAT..
Windows NT types out the file C:\AUTOEXEC.BAT, even though
C:\AUTOEXEC.BAT.. was requested and it doesn't exist. This is why IIS
failed, due to an OS bug that Microsoft gladly skated around and
blamed IIS.
IIS is supposed to access _every_ file within the thread context of
either anonymous, or the specific Web user. IIS does this for all
non-script files. However, it does not for script files.
This is my issue, and so far many people on various lists and
newsgroups have come across the same problem without any resolution or
acknowledgement from Microsoft. I'm desperately looking for some
answers, or will be forced to pull out of IIS and move back to
Netscape.
- Chris Borneman
cborneman@plasticsnet.com
----------------------------------------------------------------------
Daragh Malone.
