Full Disclosure mailing list archives
Microsoft Biztalk Server documentation and repository sites weak permissions
From: Cesar <cesarc56 () yahoo com>
Date: Thu, 18 Sep 2003 17:33:28 -0700 (PDT)
Security Advisory Name: Microsoft Biztalk Server documentation and repository sites weak permissions. System Affected : Microsoft Biztalk Server 2000 and Microsoft Biztalk Server 2002. Severity : Medium Remote exploitable : Yes Author: Cesar Cerrudo. Date: 09/18/03 Advisory Number: CC090308 Legal Notice: This Advisory is Copyright (c) 2003 Cesar Cerrudo. You may distribute it unmodified and for free. You may NOT modify it and distribute it or distribute parts of it without the author's written permission. You may NOT use it for commercial intentions (this means include it in vulnerabilities databases, vulnerabilities scanners, any paid service, etc.) without the author's written permission. You are free to use Microsoft details for commercial intentions. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory are my own and not of any company. The usual standard disclaimer applies, especially the fact that Cesar Cerrudo is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. Cesar Cerrudo bears no responsibility for content or misuse of this advisory or any derivatives thereof. Overview: Microsoft Biztalk Server is a Microsoft product for business-process automation and application-integration both within and between businesses. BizTalk Server provides a powerful Web-based development and execution environment that integrates loosely coupled, long-running business processes, both within and between companies. BizTalk Server features include integration among existing applications; the definition of document specifications and specification transformations; and the monitoring and logging of run-time activity. The server provides a standard gateway for sending and receiving documents across the Internet, as well as providing a range of services that ensure data integrity, delivery, security, and support for the BizTalk Framework and other key document formats. When installed some IIS virtual directories are created with weak permissions. Details: By default Microsoft Biztalk Server installs and cofigures some virtual directories in IIS, there are two virtual directories configured with weak permissions, one site holds documentation information (http://server/BizTalkServerDocs/) and the other site is a WebDAV repository for XML files (http://server/BizTalkServerRepository/). Virtual directory "http://server/BizTalkServerDocs/" by default has the next configuration on IIS: -Authenticate users by Windows authentication, -Write and browse directories permissions, not execute permssions. -Not default document configured. NTFS permissions are full control to users group on physical folder "...\Microsoft BizTalk Server\Documentation\". Virtual directory "http://server/BizTalkServerRepository/" by default has the next configuration on IIS: -Anonymous web access. -Write and browse directories permission, not execute permssions. -Not default document configured. NTFS permissions are full control to users group on physical folder "...\Microsoft BizTalk Server\BizTalkServerRepository\". Note: Site "http://server/BizTalkServerRepository/" needs write permissions because it is a WebDAV repository which allow users to upload, edit, etc. XML files. These weak permissions can be exploited by an attacker in many ways, some samples: -In case of site "http://server/BizTalkServerDocs/" an attacker can upload and replace HTML documentation pages with pages with dangerous activex controls, scripts, etc. -In case of site "http://server/BizTalkServerRepository/" an attacker can replace XML files with others XML files making Biztalk Server to fail when using altered XML files. -etc. Vendor Status: Microsoft was contacted several months ago and now they release a Knowledge Base Article. Patch Available: http://support.microsoft.com/default.aspx?scid=kb;en-us;824935 SQL SECURITY LIST!!!: For people interested in SQL Server security, vulnerabilities, SQL injection, etc. Get advisories and vulnerabilities before!!! Join at: sqlserversecurity-subscribe () yahoogroups com http://groups.yahoo.com/group/sqlserversecurity/ __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft Biztalk Server documentation and repository sites weak permissions Cesar (Sep 18)