[4136] in bugtraq
Re: I.I.S and Security - No authentication of scripts.
daemon@ATHENA.MIT.EDU (Greg Haverkamp)
Thu Mar 6 16:56:36 1997
Date: Thu, 6 Mar 1997 14:57:27 -0500
Reply-To: Greg Haverkamp <gregh@INSTINCTIVE.COM>
From: Greg Haverkamp <gregh@INSTINCTIVE.COM>
X-To: daragh_malone@TELECOM.IE
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <9702058576.AA857609178@smtpgw.telecom.ie>
Well, I just spent the better part of today looking at this. Fortunately,
I came in late. :)
At 04:44 PM 3/5/97 GMT, you wrote:
> This may have be mentioned on the BUGTRAQ mailing list, but I couldn't
> find it. The information is supplied as quoted by Chris Borneman.
> I've had some problems trying to verify this on the DEC Alpha version
> of I.I.S 3.0
I've not seen it before. I've been able to replicate this under
circumstances certain circumstances. I feel comfortable that I've isolated
a some relatively obscure cases when this will happen.
Incidentally, I'm running Peer Web Services with Active Server Pages. So,
I'm not an exact match, but I'm pretty close.
> --------------------------------------------------------------------
>
> When securing your site based on membership (who you are, not where
> you are located), IIS turns to NTFS and the security access associated
> with the file. For instance, in IIS you have the ability to say
> "Allow Anonymous". This is used in conjuction with the "Anonymous
> Logon". The reason is simple, and file that can be accessed by the
> account specified in "Anonymous Logon" can be accessed by any Web user
> hitting your site.
[...]
> If the credentials match the access to the file in question, the file
> is sent. Try this for yourself. Create a directory under your
> wwwroot and use the NT Explorer to revoke rights on that directory and
> any subdirectory and only allow the SYSTEM and your specific account
> access (make sure it isn't the IUSR_machine_name account. Place an
> htm file in that directory, then access from Internet Explorer.
> You'll be asked to give your user name and password (assuming you
> allow Basic Authentication and turn off Windows NT
> Challenge/Response).
Yup. This works. Just as I would expect it to.
> However, if you do the same for a script, IIS still _executes_ it and
> sends back the results. This isn't an issue of "Read" vs. "Execute".
> The script isn't readable. The directory I'm dealing with has "Read"
> off and "Execute" on. However, the script also shouldn't be
> accessible or ran until I provide my credentials, and that is the
> SECURITY HOLE. Netscape's Server does this _correctly_, so why not
> Microsoft?
If I look at the HTML file, go back to Internet Service Manager and change
permissions to Execute only, and then go to execute, I will not be
prompted. My username and password are cached as expected.
Kill Internet Explorer. Start it back up. Point it to
http://mymachine/passtest/passtest.exe, and I am prompted for a username
and password. Enter it, and the script runs.
If the file I am accessing is of a certain type (.exe, .asp, or .pl) I have
no problem. When I try .plx (for the PerlIS.dll), the script will never be
executed.
> IIS is supposed to access _every_ file within the thread context of
> either anonymous, or the specific Web user. IIS does this for all
> non-script files. However, it does not for script files.
Unless this is very specific to IIS (i.e., doesn't work with Peer Web
Services w/ASP), this does not appear to be a reproducible problem.
If anyone else is trying this, be absolutely certain you close IE after
looking at static pages.
Greg
