 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
||||
|
Software A bug, discovered by Spin Solutions' internet director, Tom Murphy, in Microsoft's Internet Information Server 4 allows full access to all of an NT server's harddisk. The bug, now named the "Spinbug" potentially puts at risk the data of thousands of websites on NT virtual servers. It arises from a misconfiguration of access privileges and an obscure ASP object native to IIS/ASP. If decent security is not implemented, a user running an ASP script can gain full read/write access to files anywhere on the NT server's harddrives. With many websites taking creditcard orders, the danger is very real but the gravity of the situation completely escaped Microsoft. In the worst case situation, a user could use the ASP script to access any files on the NT server. In a situation such as an NT box running a number of virtual sites, one user could access another user's files. The script runs with the permissions of the Everyone group under the Anonymous user account. By default, sensitive files are accessible and this seems to be one of the major problems. Spinsol tested the ASP script on a number of NT/IIS boxes and found the same vulnerability. Full details of the bug, the source code along with instructions for the necessary precautions have been posted on Spinsol's site in the form of a FAQ. The document also contains the Microsoft's reply when Spinsol e-mailed them with details of the bug. Microsoft's initial response was one of an ostrich sticking it's head in the sand - "everything is as it should be and there's no security vulnerability here." Of course in the same e-mail they admit that if the files are not locked down "the script will be able to access them". Microsoft then goes on to recommend the IIS Resource Kit's chapter on security for information on setting the ACLs. Spinsol replied that the ASP script was running under the anonymous account and asked how it was possible to remove the anonymous acount ACL from the other websites on the same server. Considering that there was over 100 websites on the same server this was a very important question. It was pointed out to Microsoft that a user could use the ASP script to view the directories of other websites since the anonymous account ACL could not be removed without rendering them useless. This time Microsoft's reply had a more worrying tone. This is Microsoft's response: "You'll need to retain the anonymous account on the ASP files in order to let anonymous users use them. However you'll need to remove permissions for the anonymous account (IUSR_machinename) for all of the other files. There is no other way to protect the files -- if the anonymous account has privilges, anonymous users will be able to read/modify them. So it looks like this is a fairly serious bug as it will affect most installations where due care and attention is absent. The problem does not appear to affect IIS 3 but does affect IIS 4 with SP4 and above. The Active Server Page system is one of the best aspects of the IIS and it is one that some other webservers have sought to emulate. Anyone who is running NT/IIS4 should carefully check the permissions on each file though it appears that an existing account would be required in order to fully exploit the bug. Spinsol has opened a web discussion forum for feedback on this event. |
||||
|
|
