Full Disclosure mailing list archives
Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
From: Jan Reilink <janreilink () vevida com>
Date: Tue, 17 Jul 2012 12:44:57 +0200
[Hope this doesn't get double posted, removed bugtraq () securityfocus com] Hi, Op 16-7-2012 19:24, king cope schreef:
Hi Lists,
[...]
The posting included some important bugs in the Internet Information Services, one of their flagship products: http://seclists.org/fulldisclosure/2012/Jun/189
Nice find. Somehow I missed your e-mail from the 10th of June... Anyway, a proper configured IIS web server has its Request Restrictions (resourceType) set to 'File' in the PHP handler. Having this not configured, it can give you some nasty error messages ("No input file specified", if the requested file doesn't exist) If not configured, fix it with appcmd: appcmd set config /section:system.webServer/handlers "-+[name=`'PHP`',path=`'*.php`',verb=`'*`',modules=`'FastCgiModule`',scriptProcessor=`'path\to\php-cgi.exe`',resourceType=`'File`']" if you're unable to (maybe because you're a user, not an admin), you can deny certain URL sequences using IIS URL Rewrite or Helicon ISAPI_Rewrite: RewriteEngine On # DenyPHPafterASPX RewriteCond %{REQUEST_URI} ^/(.*\.aspx)/(.*\.php)$ [NC] RewriteRule .? / [F,L] <rewrite> <rules> <rule name="DenyPHPafterASPX" stopProcessing="true"> <match url=".?" ignoreCase="false" /> <conditions logicalGrouping="MatchAll"> <add input="{URL}" pattern="^/(.*\.aspx)/(.*\.php)$" /> </conditions> <action type="CustomResponse" url="/" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> </rules> </rewrite> these are workarounds, not fixes. I can't reproduce authentication bypass vulnerabilities you mention. Also, there is more than one way to password protect a directory. Did you disable 'anonymous authentication' in IIS 6.0/7.5, or did you remove or deny IUSR-user NTFS permissions on the file system? Regards, Jan Reilink VEVIDA Services http://vevida.com
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin king cope (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Thor (Hammer of God) (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin king cope (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Message not available
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Message not available
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Thor (Hammer of God) (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin king cope (Jul 17)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Gage Bystrom (Jul 17)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Gage Bystrom (Jul 17)
- Message not available
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
- Message not available
- Message not available
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)