Bugtraq mailing list archives
I.I.S and Security - No authentication of scripts.
From: daragh_malone () TELECOM IE (daragh_malone () TELECOM IE)
Date: Wed, 5 Mar 1997 16:44:08 GMT
This may have be mentioned on the BUGTRAQ mailing list, but I couldn't find it. The information is supplied as quoted by Chris Borneman. I've had some problems trying to verify this on the DEC Alpha version of I.I.S 3.0 -------------------------------------------------------------------- When securing your site based on membership (who you are, not where you are located), IIS turns to NTFS and the security access associated with the file. For instance, in IIS you have the ability to say "Allow Anonymous". This is used in conjuction with the "Anonymous Logon". The reason is simple, and file that can be accessed by the account specified in "Anonymous Logon" can be accessed by any Web user hitting your site. If the "Anonymous Logon", usually IUSR_machine_name, cannot access the file, IIS sends back an "access denied, please give your credentials" allowing either Basic Authentication (clear text), and/or Windows NT Challenge/Response. If the credentials match the access to the file in question, the file is sent. Try this for yourself. Create a directory under your wwwroot and use the NT Explorer to revoke rights on that directory and any subdirectory and only allow the SYSTEM and your specific account access (make sure it isn't the IUSR_machine_name account. Place an htm file in that directory, then access from Internet Explorer. You'll be asked to give your user name and password (assuming you allow Basic Authentication and turn off Windows NT Challenge/Response). However, if you do the same for a script, IIS still _executes_ it and sends back the results. This isn't an issue of "Read" vs. "Execute". The script isn't readable. The directory I'm dealing with has "Read" off and "Execute" on. However, the script also shouldn't be accessible or ran until I provide my credentials, and that is the SECURITY HOLE. Netscape's Server does this _correctly_, so why not Microsoft? The security issues Microsoft posted dealt with file names that caused the server filtering code to not recognize a file as a script, and send it to the client just as if it was an HTML document. This is the "dot" bug, adding extra periods to the end of the file name. While that was a bug, it really didn't have to do with the "security" aspect of IIS, as much is misprocessing the information. It of course is viewed as a security flaw due to the nature of the content. In reality, it is in my opinion an OS bug, as try the following in a command prompt DOS box: TYPE C:\AUTOEXEC.BAT.. Windows NT types out the file C:\AUTOEXEC.BAT, even though C:\AUTOEXEC.BAT.. was requested and it doesn't exist. This is why IIS failed, due to an OS bug that Microsoft gladly skated around and blamed IIS. IIS is supposed to access _every_ file within the thread context of either anonymous, or the specific Web user. IIS does this for all non-script files. However, it does not for script files. This is my issue, and so far many people on various lists and newsgroups have come across the same problem without any resolution or acknowledgement from Microsoft. I'm desperately looking for some answers, or will be forced to pull out of IIS and move back to Netscape. - Chris Borneman cborneman () plasticsnet com ---------------------------------------------------------------------- Daragh Malone.
Current thread:
- Bug in connect() for aix 4.1.4 ? Cahya Wirawan (Mar 05)
- Re: Bug in connect() for aix 4.1.4 ? Steve Campbell (Mar 05)
- I.I.S and Security - No authentication of scripts. daragh_malone () TELECOM IE (Mar 05)
- Re: I.I.S and Security - No authentication of scripts. Greg Haverkamp (Mar 06)
- 4.4BSD NFS File Handles David Sacerdote (Mar 06)
- 4.4BSD NFS File Handles Aleph One (Mar 06)
- I.I.S 3.0: Another slight security concern ? daragh_malone () TELECOM IE (Mar 07)
- COLD FUSION BUG Bill Staples (Mar 07)
- Re: Bug in connect() for aix 4.1.4 ? Rikhardur Egilsson (Mar 05)
- Re: Bug in connect() for aix 4.1.4 ? Frank Hofmann (Mar 06)
- Re: Bug in connect() for aix 4.1.4 ? Ollivier Robert (Mar 06)
- Yet another Internet Explorer bug... Aleph One (Mar 06)
- I.I.S and Security - No authentication of scripts. daragh_malone () TELECOM IE (Mar 05)
- Re: Bug in connect() for aix 4.1.4 ? Steve Campbell (Mar 05)
- <Possible follow-ups>
- Re: Bug in connect() for aix 4.1.4 ? Steve Campbell (Mar 11)