Microsoft Biztalk Server documentation and repository sites weak permissions.
From: Cesar (cesarc56_at_UOL.COM.AR)
Date: 09/19/03
- Previous message: Aaron C. Newman: "AppSecInc Security Alert: Denial of Service Vulnerability in DB2 Discovery Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Sep 2003 21:40:30 -0300 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Security Advisory
Name: Microsoft Biztalk Server documentation and repository sites weak permissions.
System Affected : Microsoft Biztalk Server 2000 and Microsoft Biztalk Server 2002.
Severity : Medium
Remote exploitable : Yes
Author: Cesar Cerrudo.
Date: 09/18/03
Advisory Number: CC090308
Legal Notice:
This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may NOT modify it and distribute it or distribute
parts of it without the author's written permission. You may NOT use it for commercial intentions
(this means include it in vulnerabilities databases, vulnerabilities scanners, any paid service,
etc.) without the author's written permission. You are free to use Microsoft details
for commercial intentions.
Disclaimer:
The information in this advisory is believed to be true though it may be false.
The opinions expressed in this advisory are my own and not of any company. The usual standard
disclaimer applies, especially the fact that Cesar Cerrudo is not liable for any damages caused
by direct or indirect use of the information or functionality provided by this advisory.
Cesar Cerrudo bears no responsibility for content or misuse of this advisory or any derivatives thereof.
Overview:
Microsoft Biztalk Server is a Microsoft product for business-process automation
and application-integration both within and between businesses. BizTalk Server
provides a powerful Web-based development and execution environment that integrates
loosely coupled, long-running business processes, both within and between companies.
BizTalk Server features include integration among existing applications; the definition
of document specifications and specification transformations; and the monitoring and
logging of run-time activity. The server provides a standard gateway for sending and
receiving documents across the Internet, as well as providing a range of services that
ensure data integrity, delivery, security, and support for the BizTalk Framework and
other key document formats. When installed some IIS virtual directories are created
with weak permissions.
Details:
By default Microsoft Biztalk Server installs and cofigures some virtual directories in IIS,
there are two virtual directories configured with weak permissions, one site holds
documentation information (http://server/BizTalkServerDocs/) and the other site is a
WebDAV repository for XML files (http://server/BizTalkServerRepository/).
Virtual directory "http://server/BizTalkServerDocs/" by default has the next configuration on IIS:
-Authenticate users by Windows authentication,
-Write and browse directories permissions, not execute permssions.
-Not default document configured.
NTFS permissions are full control to users group on physical folder
"...\Microsoft BizTalk Server\Documentation\".
Virtual directory "http://server/BizTalkServerRepository/" by default has the next configuration on IIS:
-Anonymous web access.
-Write and browse directories permission, not execute permssions.
-Not default document configured.
NTFS permissions are full control to users group on physical folder
"...\Microsoft BizTalk Server\BizTalkServerRepository\".
Note: Site "http://server/BizTalkServerRepository/" needs write permissions because it
is a WebDAV repository which allow users to upload, edit, etc. XML files.
These weak permissions can be exploited by an attacker in many ways, some samples:
-In case of site "http://server/BizTalkServerDocs/" an attacker can upload and
replace HTML documentation pages with pages with dangerous activex controls, IE exploits, etc.
-In case of site "http://server/BizTalkServerRepository/" an attacker can replace XML
files with others XML files making Biztalk Server to fail when using altered XML files.
-etc.
Vendor Status:
Microsoft was contacted several months ago and now they release a Knowledge Base Article.
Patch Available:
http://support.microsoft.com/default.aspx?scid=kb;en-us;824935
SQL SECURITY LIST!!!: For people interested in SQL Server security, vulnerabilities, SQL injection, etc.
Get advisories and vulnerabilities before!!!
Join at:
sqlserversecurity-subscribe@yahoogroups.com
http://groups.yahoo.com/group/sqlserversecurity/
---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ----
- Previous message: Aaron C. Newman: "AppSecInc Security Alert: Denial of Service Vulnerability in DB2 Discovery Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
