Bugtraq mailing list archives

Re: Security hole in Win2K's FTP server

From: adam () ALIENZOO COM (Adam Muntner)
Date: Tue, 18 Jul 2000 09:34:58 -0700


Dan Kaminsky wrote:

Greying out advanced functionality that's only available in more advanced
versions is a tried and true tactic among shareware authors, though I don't
remember the last time I saw it in an actual professional package(i.e.
PhotoStyler doesn't "hint" about Photoshop's advanced features).  It's not
unheard of, and in and of itself, it's not a security issue.


I ran into this issue last week, in fact.  It's also an issue for IIS on
W2KPRO.
The Security button is greyed out out in IIS also.  This makes it
impossible to do things, on a developer workstation, such as... restrict
access to the HTTP server or specific directories to specific IP
addresses or ranges of IP addresses.  In many organizations, developers
have their 'own' http server for doing development work, on their own
workstation.  Many times, you don't want the entire company to see such
work.  In this instance, the internal threat is unaffected by border
firewalls.  The only solution is to purchase some other 'firewall'
software for individual hosts.  Not exactly the most optimal solution!

For the external threat, I thought... Well, I can add additional IP
addresses to the workstation, have the developers run the internal
development IIS servers (multiple sites are maintained by each
developer) on those IP addresses, and filter them at the network
perimiter, as IIS lets a single server run separate sites based on IP
address and HTTP host header... Obviously, I would use IP based
differentiation.

No can do.

Apparently, IIS5 on W2KPRO doesn't let you add vhosts, beyond a single
site, making this technique impossible.  As you can imagine, this
discovery led me to stomp about and curse a bit... as well as give me
more ammunition to argue to increase our FreeBSD/Apache deployment. ;)

In reality, I'd like to see a hotfix to swap around the necessary
registry info, and re-enable these options, or install what ever is
necessary dll-wise.

Microsoft, are you listening?

Adam

--
Adam Muntner
Systems Engineer, AlienZoo Inc.
adam () alienzoo com
(602)850-3262

Current thread:

SuSE Security Announcement: tnef Thomas Biege (Jul 11)
- Re: SuSE Security Announcement: tnef Rainer Link (Jul 11)
- Security hole in Win2K's FTP server Bob Kline (Jul 11)
  - CONECTIVA LINUX SECURITY ANNOUNCEMENT - nfs-utils Conectiva Security (Jul 17)
  - Re: Security hole in Win2K's FTP server Dan Kaminsky (Jul 17)
    - Re: Security hole in Win2K's FTP server Adam Muntner (Jul 18)
    - Re: Security hole in Win2K's FTP server David LeBlanc (Jul 18)
    - Re: Security hole in Win2K's FTP server Darren Reed (Jul 18)
- MDKSA-2000:018 dump update Vincent Danen (Jul 11)
- Sun's Java Web Server remote command execution vulnerability stuart.mcclure () FOUNDSTONE COM (Jul 11)
- Attacking Windows 9x with Loadable Kernel Modules Solar Eclipse (Jul 12)