Re: Web Services
From: Ivan Hernandez (ivan.hernandez@globalsis.com.ar)Date: 03/08/02
- Previous message: Colin Stefani: "RE: Automatic Updates on XP Pro"
- In reply to: Phillip Parris: "RE: Web Services"
- Next in thread: Paul Heinlein: "Re: Web Services"
- Next in thread: juan.francisco.falcon@ar.pwcglobal.com: "Re: Web Services"
- Reply: Paul Heinlein: "Re: Web Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 08 Mar 2002 15:48:44 -0300 From: Ivan Hernandez <ivan.hernandez@globalsis.com.ar> To: Phillip Parris <pparris@appliedsystems.com>
But i'm sure apache does not install ksh or sh (i have installed apache
on several windows and never doed that). I hust was pointing that the
scanner is getting wrong results.
Thanks
Ivan Hernadez
Phillip Parris wrote:
>He did have IIs installed. its a 2000 server, he now has apache for windows
>installed.
>
>-----Original Message-----
>From: Ivan Hernandez [mailto:ivan.hernandez@globalsis.com.ar]
>Sent: Thursday, March 07, 2002 2:12 PM
>To: Jacob McMaster
>Cc: focus-ms@securityfocus.com
>Subject: Re: Web Services
>
>
>That's the output of the scan? well... i have never seen ksh and
>cmd.exe!!!! you have not only several security problems, so you got
>multiplataform security problems!!!!!! =o)
>I think your WebScan has been drinking so try the test again. If it
>continues saying the same dump it and try the powerfull and omnisapient
>Nessus Scanner (http://www.nessus.org).
>
>Good luck!
>Ivan Hernandez
>
>
>jmcmaster@appliedsystems.com wrote:
>
>>Cerberus WebScan is telling me this about my server, it says its iis/5.0,
>>but i have that uninstalled, and all of its services stopped, and have
>>apache running on it, and i don't even have these dir's on my server, and i
>>don't know if this is a real security problem or not, and the access log
>>
>>from apache i will attach to, but it just shows 404 errors when it tried to
>
>>access this files, can anyone explain to me whats going on, or if i should
>>even worry ? This is a win2k server w/ sp2, and all the security updates,
>>execpt maybe one, with apache 1.3.2.3 win32 version, Thanks.
>>
>>Web Service
>>Web Server Software is Microsoft-IIS/5.0
>>Security Issues
>><http://www.shadey.com/cgi-bin/>
>>Directory listing is allowed of the /cgi-bin/. This allows an attacker to
>>browse through scripts and executables in this directory allowing them to
>>target and exploit potential weaknesses. Directory browsing should be
>>disabled.
>><http://www.shadey.com/scripts/>
>>Directory listing is allowed of the /scripts/ directory. This allows an
>>attacker to browse through scripts and executables allowing them to target
>>and exploit potential weaknesses. Directory browsing should be disabled.
>><http://www.shadey.com/cgi-bin/sh>
>>The UNIX shell interpreter "sh" has been found in the /cgi-bin/. This
>>
>should
>
>>be removed as it could allow remote attackers to run commands on the web
>>server remotely
>><http://www.shadey.com/cgi-bin/csh>
>>The UNIX C shell interpreter "csh" has been found in the /cgi-bin/. This
>>should be removed as it could allow remote attackers to run commands on the
>>web server remotely
>><http://www.shadey.com/cgi-bin/ksh>
>>The UNIX shell interpreter "ksh" has been found in the /cgi-bin/. This
>>should be removed as it could allow remote attackers to run commands on the
>>web server remotely
>><http://www.shadey.com/cgi-bin/cmd.exe?/c>
>>The Windows NT shell interpreter "cmd.exe" has been found in the /cgi-bin/.
>>This should be removed as it allows remote attackers to run commands on the
>>web server remotely.
>><http://www.shadey.com/scripts/cmd.exe?/c>
>>The Windows NT shell interpreter "cmd.exe" has been found in the /scripts/
>>directory. This should be removed as it allows remote attackers to run
>>commands on the web server remotely.
>><http://www.shadey.com/cgi-bin/cmd32.exe>
>>Perl's "cmd32.exe" has been found in the /cgi-bin/. This should be removed
>>as it allows remote attackers to run commands on the web server remotely
>><http://www.shadey.com/scripts/cmd32.exe>
>>Perl's "cmd32.exe" has been found in the /scripts/ directory. This should
>>
>be
>
>>removed as it allows remote attackers to run commands on the web server
>>remotely
>><http://www.shadey.com/cgi-bin/perl.exe?-v>
>>Perl.exe found in the /cgi-bin. This is highly dangerous as it allows an
>>attacker to run system commands. This should be removed as soon as
>>
>possible.
>
>><http://www.shadey.com/scripts/perl.exe?-v>
>>Perl.exe found in the /scripts directory. This is highly dangerous as it
>>allows an attacker to run system commands. This should be removed as soon
>>
>as
>
>>possible.
>><http://www.shadey.com/scripts/tools/newdsn.exe>
>>Newdsn.exe can be used by an a attacker to create files anywhere on your
>>disk if they have the NTFS correct file permissions to do so. Newdsn.exe
>>
>can
>
>>also be used to overwrite the DSNs on existing on-line databases making the
>>information contained in the database inaccessible.
>>This file, getdrvrs.exe, dsnform.exe and mkilog.exe should be deleted or
>>renamed unless there is a strong reason not to do so. In that case, ensure
>>that only Administrators may access them.
>><http://www.shadey.com/_vti_bin/fpcount.exe?Page=default.htm|Image=3|Digits
>>
>=
>
>>15>
>>Fpcount.exe has been found in the /_vti_bin/ directory. If, when the link
>>above is followed , fifteen digits are displayed this version of
>>
>fpcount.exe
>
>>is from the FrontPage Server Extentions 97 package and it contains a buffer
>>overrun that allows remote execution of arbitary code.
>>This should be deleted until a copy of the 98 version of FrontPage can be
>>obtained.
>>http://www.shadey.com/iissamples/issamples/query.asp
>><http://www.shadey.com//iissamples/issamples/query.asp>
>>The query.asp page is the default sample search page for Index Server on
>>IIS4. From here an attacker can perform searches for files of a certain
>>
>type
>
>>using "#filename=*.exe" or "#filename=*.asp". Ensure that Index Server has
>>been configured not to return reults for searches such as these.
>>Server exhibits the ::$DATA bug.
>>This can allow an attacker to download the source of scripts, such as
>>
>Active
>
>>Sever pages or Perl scripts. This problem is fixed with service pack 4 or a
>>post SP3 hotfix can be downloaded the Microsoft web site.
>><http://www.shadey.com/samples/search/queryhit.htm>
>>The queryhit.htm page is the default sample search page for Index Server
>>1.1. From here an attacker can perform searches for files of a certain type
>>using "#filename=*.exe" or "#filename=*.asp". Ensure that Index Server has
>>been configured not to return reults for searches such as these.
>><http://www.shadey.com/iissamples/exair/search/advsearch.asp>
>>The sample ExAir site contains a number of scripts that can cause a
>>temporary situation where the inetinfo.exe process consumes 100 percent of
>>the processor time for 90 secs. This only happens if the Index Server ISAPI
>>dlls have not been loaded into memory. If they are not and this page or
>>query.asp or search.asp Are accessed directly the script will loop.
>>The solution to this problem is to remove these files.
>>http://www.shadey.com/iisadmpwd/aexp2.htr
>><http://www.shadey.com/iisadmpwd/aexp3.htr>
>>
>>From here an attacker can launch password attacks against the local machine
>
>>or or proxied attacks against other machines on the network. More
>>information can be found here
>><http://www.infowar.co.uk/mnemonix/iispassproxy.htm>
>><http://www.shadey.com/scripts/repost.asp>
>>Microsoft's Site Server 2.0 is installed. This allows users to upload files
>>to the /users directory. Even if it doesn't exist any valid user can create
>>the diectory via the web and the default NTFS permissions given to this
>>directory give the Everybody Group the "Change" permission - which allows
>>anybody to create, modify or delete files in that directory. Added to this
>>IIS gives the "Write" permission allowing users to use the HTTP PUT
>>REQUEST_METHOD to place content on the web site via the HTTP protocol.
>>Because of the defaults, if anonymous access is granted to the site anybody
>>can do this. Ensure that, if the directory exists the Anonymous Internet
>>Account is given only read access to this directory. Remove change
>>permissions for the Everybody Group and assign permissions per user.
>><http://www.shadey.com/iissamples/exair/howitworks/codebrws.asp>
>>This sample script should be removed. It allows attackers to access files
>>
>on
>
>>the same volume as the IIS install outside of the web file system.
>><http://www.shadey.com/msadc/samples/selector/showcode.asp>
>>This sample script should be removed. It allows attackers to access files
>>
>on
>
>>the same volume as the IIS install outside of the web file system.
>><http://www.shadey.com/search?>
>>The search engine on Netscape Enterprise Server 3.5.x is enabled by
>>
>default.
>
>>It is possible, by using specially formed search requests to obtain the
>>source scripts. The search engine and collections indexed should be checked
>>carefully to see if this problem exists on this site. If the search
>>functionality is not needed it should be disabled from the administration
>>pages.
>><http://www.shadey.com/index.html>
>>By appending to the end of a file on Windows NT with Netscape Enterprise
>>3.5.x it accesses the raw data and consequently allows downloading of
>>
>script
>
>>source. There is a patch available to resolve this issue.
>><http://www.shadey.com/scripts/rguest.exe>
>>rguest.exe (Webcom CGI guestbook) has a vulnerability that allows files
>>anywhere on the file system to be read. It is suggested that wguest.exe be
>>removed.
>><http://www.shadey.com/cgi-bin/rguest.exe>
>>rguest.exe (Webcom CGI guestbook) has a vulnerability that allows files
>>anywhere on the file system to be read. It is suggested that rguest.exe be
>>removed.
>><http://www.shadey.com/scripts/wguest.exe>
>>wguest.exe (Webcom CGI guestbook) has a vulnerability that allows files
>>anywhere on the file system to be read. It is suggested that wguest.exe be
>>removed.
>><http://www.shadey.com/cgi-bin/wguest.exe>
>>wguest.exe (Webcom CGI guestbook) has a vulnerability that allows files
>>anywhere on the file system to be read. It is suggested that wguest.exe be
>>removed.
>><http://www.shadey.com/cgi-bin/get32.exe>
>>On Alibaba web servers this CGI program can be used to run commands. It
>>should be removed or updated.
>><http://www.shadey.com/cgi-bin/alibaba.pl>
>>This script can be exploited to allow commands to be run on the server
>>remotely. It should be removed or updated.
>><http://www.shadey.com/cgi-bin/tst.bat>
>>tst.bat can be exploited to run commands on the server remotely. It should
>>be removed.
>><http://www.shadey.com/cgi-win/uploader.exe>
>>uploader.exe can be exploited to allow attackers to upload files remotely.
>>Ensure you are not vulnerable and if you are update it or remove it.
>><http://www.shadey.com/cgi-bin/FormHandler.cgi>
>>FormHandler.cgi uses physical paths for web form templates. An attacker can
>>locally (ie on their machine) modify the form and gain access to sensitive
>>files such as /etc/passwd. This should be updated to prevent this.
>><http://www.shadey.com/cgi-bin/testcgi>
>>Some early versions of testcgi have a vulnerability where *NIX shell
>>metacharacters can be fed in and reveal directory listings etc. testcgi
>>should be removed anyway as it gives away too much information about the
>>system.
>>http://www.shadey.com/cgi-bin/testcgi/*?*
>><http://www.shadey.com/cgi-bin/test-cgi/*?*>
>>Some versions of test-cgi have a vulnerability where *NIX shell
>>metacharacters can be fed in and reveal directory listings etc. test-cgi
>>should be removed anyway as it gives away too much information about the
>>system.
>><http://www.shadey.com/cgi-bin/test.cgi>
>>Enusre that test.cgi, found in the /cgi-bin strips out shell metacharacters
>>
>>from HTTP input test.cgi should be removed anyway as it gives away too much
>
>>information about the system.
>><http://www.shadey.com/cgi-bin/environ.pl>
>>environ.pl should be removed anyway as it gives away too much information
>>about the system.
>><http://www.shadey.com/scripts/environ.pl>
>>environ.pl should be removed anyway as it gives away too much information
>>about the system.
>><http://www.shadey.com/server-info>
>>server-info reveals too much information about the system. Limit access to
>>this location in httpd.conf
>><http://www.shadey.com/server-status>
>>server-status reveals too much information about the system. Limit access
>>
>to
>
>>this location in httpd.conf
>><http://www.shadey.com/cgi-bin/tcsh>
>>The UNIX shell interpreter "tcsh" has been found in the /cgi-bin/. This
>>should be removed as it could allow remote attackers to run commands on the
>>web server remotely
>><http://www.shadey.com/cgi-bin/cgitest.exe>
>>Cgitest.exe, by Antelope Software, found in the /cgi-bin/ directory,
>>exhibits a buffer overrun
>>vulnerability caused by an overly long User-Agent HTTP client header field.
>>If exploited it can
>>allow attackers to execute arbritary code. Cgitest.exe should be removed.
>><http://www.shadey.com/~root>
>>Access to /~root is allowed. This potentially gives an attacker access to
>>the whole
>>files system. This should be fixed as soon as is possible.
>><http://www.shadey.com/~ftp>
>>Access to /~ftp is allowed. This presents a problem if Server Side Includes
>>are turned on and
>>anonymous uploads are allowed via ftp. Even still, remote users should be
>>denied access to this directory.
>><http://www.shadey.com/cgi-bin/phf?Qalias=&Qname=haqr&Qemail=&Qnickname=&Qo
>>
>f
>
>>fice_phone=>
>>Older versions of the phf script don't strip the newline character from
>>
>user
>
>>supplied input. Consequently
>>it allows attackers to run arbitary commands on the web server. Ensure this
>>script is not vulnerable.
>><http://www.shadey.com/cgi-bin/count.cgi>
>>Some versions of count.cgi contain a buffer overrun. A CERT advisory was
>>issued reference this
>>issue. See <http://www.cert.org>.
>><http://www.shadey.com/cgi-bin/nph-test-cgi>
>>Some versions of the nph-test-cgi script do not check user supplied input
>>properly allowing attackers
>>to get directory listings. It's would be safer to removed it anyway as it
>>gives out too much information.
>><http://www.shadey.com/cgi-bin/webdist.cgi>
>>Webdist.cgi, as distributed with IRIX 5.x and 6.x contains a vulnerability
>>that allows remote attackers
>>execute commands. It should be removed.
>><http://www.shadey.com/cgi-bin/aglimpse>
>>Some early versions of the aglimpse script ( < c. late 1997) contain a
>>vulnerability that allows
>>remote attackers to run commands on the server. If you have not updated
>>recently see <http://glimpse.cs.arizona.edu>.
>>
>>ACCESS LOG from apache
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/ HTTP/1.0"
>>
>403
>
>>291
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "HEAD / HTTP/1.0" 200 0
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /*.idc HTTP/1.0" 403
>>288
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/ HTTP/1.0"
>>
>404
>
>>287
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/csh HTTP/1.0"
>>404 290
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/sh HTTP/1.0"
>>404 289
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/ksh HTTP/1.0"
>>404 290
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/cmd.exe?/c
>>HTTP/1.0" 404 294
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/cmd.exe?/c
>>HTTP/1.0" 404 294
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/cmd32.exe
>>HTTP/1.0" 404 296
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/cmd32.exe
>>HTTP/1.0" 404 296
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/perl.exe?-v
>>HTTP/1.0" 404 295
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/perl.exe?-v
>>HTTP/1.0" 404 295
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>>/scripts/tools/newdsn.exe HTTP/1.0" 404 303
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>>/_vti_bin/fpcount.exe?Page=default.htm|Image=3|Digits=15 HTTP/1.0" 404 299
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>>/samples/search/queryhit.htm HTTP/1.0" 404 306
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>>/iissamples/issamples/query.asp HTTP/1.0" 404 309
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/*%0a.pl
>>HTTP/1.0" 404 292
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>>/iissamples/exair/search/advsearch.asp HTTP/1.0" 404 316
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /iisadmpwd/aexp3.htr
>>HTTP/1.0" 404 298
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/repost.asp
>>HTTP/1.0" 404 297
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "OPTIONS / HTTP/1.0" 200 -
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "OPTIONS /users/ HTTP/1.0"
>>200 -
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "OPTIONS /cgi-bin/
>>
>HTTP/1.0"
>
>>200 -
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "OPTIONS /scripts/
>>
>HTTP/1.0"
>
>>200 -
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>>/msadc/samples/selector/showcode.asp HTTP/1.0" 404 314
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>>/iissamples/exair/howitworks/codebrws.asp HTTP/1.0" 404 319
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /?PageServices
>>HTTP/1.0" 200 1852
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /search? HTTP/1.0" 404
>>285
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /index.html%20
>>HTTP/1.0" 200 1852
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/rguest.exe
>>HTTP/1.0" 404 297
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/rguest.exe
>>HTTP/1.0" 404 297
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/wguest.exe
>>HTTP/1.0" 404 297
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/wguest.exe
>>HTTP/1.0" 404 297
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/get32.exe
>>HTTP/1.0" 404 296
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/alibaba.pl
>>HTTP/1.0" 404 297
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/tst.bat
>>HTTP/1.0" 404 294
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-win/uploader.exe
>>HTTP/1.0" 404 299
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>>/cgi-bin/FormHandler.cgi HTTP/1.0" 404 302
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/testcgi
>>HTTP/1.0" 404 294
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/test-cgi/*?*
>>HTTP/1.0" 404 297
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/test.cgi
>>HTTP/1.0" 404 295
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/enivron.pl
>>HTTP/1.0" 404 297
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/environ.pl
>>HTTP/1.0" 404 297
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /server-info HTTP/1.0"
>>404 290
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /server-status
>>HTTP/1.0" 404 292
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/tcsh
>>
>HTTP/1.0"
>
>>404 291
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/cgitest.exe
>>HTTP/1.0" 404 298
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /~root HTTP/1.0" 404
>>284
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /~ftp HTTP/1.0" 404
>>
>283
>
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>>/cgi-bin/phf?Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone= HTTP/1.0"
>>404 290
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/count.cgi
>>HTTP/1.0" 404 296
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/nph-test-cgi
>>HTTP/1.0" 404 299
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/webdist.cgi
>>HTTP/1.0" 404 298
>>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/aglimpse.cgi
>>HTTP/1.0" 404 299
>>
>>
>
- Previous message: Colin Stefani: "RE: Automatic Updates on XP Pro"
- In reply to: Phillip Parris: "RE: Web Services"
- Next in thread: Paul Heinlein: "Re: Web Services"
- Next in thread: juan.francisco.falcon@ar.pwcglobal.com: "Re: Web Services"
- Reply: Paul Heinlein: "Re: Web Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
