I.I.S and Security - No authentication of scripts.

[daragh_malone () TELECOM IE (daragh_malone () TELECOM IE)]

     This may have be mentioned on the BUGTRAQ mailing list, but I couldn't
     find it. The information is supplied as quoted by Chris Borneman.
     I've had some problems trying to verify this on the DEC Alpha version
     of I.I.S 3.0

     --------------------------------------------------------------------

     When securing your site based on membership (who you are, not where
     you are located), IIS turns to NTFS and the security access associated
     with the file.  For instance, in IIS you have the ability to say
     "Allow Anonymous". This is used in conjuction with the "Anonymous
     Logon".  The reason is simple, and file that can be accessed by the
     account specified in "Anonymous Logon" can be accessed by any Web user
     hitting your site.

     If the "Anonymous Logon", usually IUSR_machine_name, cannot access the
     file, IIS sends back an "access denied, please give your credentials"
     allowing either Basic Authentication (clear text), and/or Windows NT
     Challenge/Response.

     If the credentials match the access to the file in question, the file
     is sent.  Try this for yourself.  Create a directory under your
     wwwroot and use the NT Explorer to revoke rights on that directory and
     any subdirectory and only allow the SYSTEM and your specific account
     access (make sure it isn't the IUSR_machine_name account.  Place an
     htm file in that directory, then access from Internet Explorer.
     You'll be asked to give your user name and password (assuming you
     allow Basic Authentication and turn off Windows NT
     Challenge/Response).

     However, if you do the same for a script, IIS still _executes_ it and
     sends back the results.  This isn't an issue of "Read" vs. "Execute".
     The script isn't readable.  The directory I'm dealing with has "Read"
     off and "Execute" on.  However, the script also shouldn't be
     accessible or ran until I provide my credentials, and that is the
     SECURITY HOLE.  Netscape's Server does this _correctly_, so why not
     Microsoft?

     The security issues Microsoft posted dealt with file names that caused
     the server filtering code to not recognize a file as a script, and
     send it to the client just as if it was an HTML document.  This is the
     "dot" bug, adding extra periods to the end of the file name.  While
     that was a bug, it really didn't have to do with the "security" aspect
     of IIS, as much is misprocessing the information.  It of course is
     viewed as a security flaw due to the nature of the content.  In
     reality, it is in my opinion an OS bug, as try the following in a
     command prompt DOS box:
     TYPE C:\AUTOEXEC.BAT..

     Windows NT types out the file C:\AUTOEXEC.BAT, even though
     C:\AUTOEXEC.BAT.. was requested and it doesn't exist.  This is why IIS
     failed, due to an OS bug that Microsoft gladly skated around and
     blamed IIS.

     IIS is supposed to access _every_ file within the thread context of
     either anonymous, or the specific Web user.  IIS does this for all
     non-script files.  However, it does not for script files.

     This is my issue, and so far many people on various lists and
     newsgroups have come across the same problem without any resolution or
     acknowledgement from Microsoft.  I'm desperately looking for some
     answers, or will be forced to pull out of IIS and move back to
     Netscape.

     - Chris Borneman
     cborneman () plasticsnet com

     ----------------------------------------------------------------------
     Daragh Malone.