Re: Frontpage 2002 NETWORK security Problem in Shared Hosting Environments
From: Dinis Cruz (dinis_at_ddplus.net)
Date: 05/19/03
- Next message: Jim: "automatic logon to a site....."
- Previous message: Matjaz Ladava: "Re: machine.config on Windows Server 2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 18 May 2003 17:37:47 -0700
Well Security by obscurity doesn't really work when one can browse the
entire directory structure and read all files!
I'm starting to realize that this problem is more serious than I
originally predicted. I have found numerous posts in several Microsoft
newsgroups all talking about this problem and with nobody presenting a
clear cut solution for it (expect of course, the "SECURE SHARED
HOSTING WITH IIS 5.0" Security Guide - created by DDPlus - which is
still is Draft mode and needs to be independently verified)
Currently we (at DDPlus) have subscribed to more than 7 ISPs (read:
paid the initial joining and sometimes the full year hosting fees) to
try to find an ISP that can security host our website. And ALL have
the FSO security vulnerability (i.e. browse the hard-drive), some have
the command prompt vulnerability, and in some cases the websites are
running under the SYSTEM account (which means that I can execute
commands on the server with administrative rights!)
This is a real problem because we are about to launch a new version of
our website with the publicly launch of the guide (initially only
available to ISPs and IIS 5.0 system administrators) and we want to
include proof that our server is secure. It would be unacceptable for
us to go public & launch our new website in an unsecure mode.
What I don't understand Is how come this is not already a huge
scandal. Surely the ISPs don't consider this to be an acceptable
service, and I'm sure that the clients that have their websites hosted
in these vulnerable servers, would be very angry at the ISP, if they
knew that any person that had a valid username and password could read
all files in their website and possible have total control over their
SQL/Access database.
Given the amount of Microsoft IIS 5.0 servers that exist today, I
don't even want to think about the number of sites that are vulnerable
to this problems.
The serious part, is that I have found servers with Windows 2003 and
IIS 6.0 from reputable ISPs, that have the same problems!!!
(folder/file browsing and remote command execution), which means that
although IIS 6.0 seams to have the tools to implement secure shared
hosting environments (although we at DDPlus haven't finished our tests
and there is no guide published by Microsoft that shows how this can
be done), the ISPs that are upgrading from 2000 to 2003 and not as
secure as they think they are.
I trying to contact Microsoft to discuss this problems and see how a
solution for this "IIS 5.0 and IIS 6.0 Shared Hosting" issue can be
resolved. But so far I had no luck.
Al, (or who ever is also reading this) If you know who in Microsoft is
responsible for IIS security, please ask them to contact me so that we
can talk.
Talk to you
Best regards
Dinis Cruz
IT Security Consultant
DDPlus
dinis@ddplus.co.uk
"al" <news@thispartisfake-13c.com> wrote in message news:<#LnNdq3GDHA.2196@TK2MSFTNGP11.phx.gbl>...
> Yes the mysterious Q313604. I read that once deleted article long ago, it
> was a security by obscurity solution as I recall with obfuscated directory
> names for the site roots. They provided a script example of how to generate
> random dir names... There was a FrontPage exploit that renders that fix
> hopleess, some one showed me a vulnerability scan report that revealled the
> Full path of a frontpage extended web by some trick anonymously. I have to
> say that I have not gotten a chance to really sink my teeth into the 2003
> Server fix yet, I expect to do it in the next couple months. There was also
> a similar ASP.NET bug that was another ISP crusher that was supposed to be
> fixed in 1.1 of the Framework and 2003 server. At this point I am feeling
> good about 2003 server so far but I do feel a bit nervous that I didn't hear
> much about beta testing these aspects of 2003 because they did not put this
> stuff in the Betas.
>
> I will be sending email I am very curious about your solution.
>
> al
>
> PS I guess we are the only ones who havent signed NDA's on this group!
>
> "Dinis Cruz" <dinis@ddplus.net> wrote in message
> news:701fd6b6.0305151835.45e55b0c@posting.google.com...
> > Dear al
> >
> > Thanks for your message.
> >
> > I had previously researched the web/newsgroups and the reason of my
> > post was because I didn't find a solution. I did read your posts and I
> > have to say that their where very knowledgeable and accurate.
> >
> > I share your preoccupation with the scale of the problem. l also
> > believe that the "FrontPage NETWORK Vulnerability" security risk is
> > very high and, servers in a shared hosting environment cannot allow
> > (for example) users from one website to see the contents of other
> > websites hosted in the same server.
> >
> > As mentioned in my last post I work for a UK based security company
> > that has worked on several security projects involving IIS 5.0 and
> > Sharepoint Team Services hosting.
> >
> > After careful research we were able to find a solution that solved (in
> > our Labs) the current security problems associated with shared hosting
> > of IIS 5.0 and FrontPage Extensions 2002.
> >
> > We have produce a guide called "SECURE SHARED HOSTING WITH IIS 5.0 -
> > Security Guide to securely deploy Microsoft IIS 5.0 in a Shared
> > hosting environment" (see table of contents at the end of this post)
> >
> > The guide aims to help others to build secure servers based on the
> > solutions and configurations researched, developed and tested by us.
> >
> > Because the guide contains code that allows the easy exploitation of
> > the security vulnerabilities (such as directory browsing, read content
> > of sensitive files and remote command execution), we are being very
> > cautious about its distribution and, initially only intend to release
> > the guide to security contacts within ISPs plus, a limited number of
> > system administrators that manage IIS 5.0 servers within their
> > organization.
> >
> > We will eventually release the guide and the code in our website. But
> > at this moment in time what we are looking for is to have third party
> > confirmation that the solutions presented do work in a live
> > environment on servers hosting hundreds of websites. We are currently
> > working with a couple of ISPs in the UK, and will soon post the
> > results of that experience.
> >
> > Al, If you want to receive a copy of the guide (which includes the
> > security templates and the test/exploit code) please send me an email
> > directly (dinis@ddplus.net). I would value your opinion, since you
> > have been involved with this issue for quite a while and have
> > implemented a solution yourself.
> >
> > Question: did you ever managed to read the document " FPSE2002: How to
> > Create a Secure Directory Structure for a Multi-Hosted Configuration
> > (Q313604)"? It doesn't exist on Microsoft website (although it is
> > referenced here: http://www.kbalertz.com/allKbs.aspx?tec=62) and
> > google doesn't have a cached copy of it anymore
> >
> > Best regards
> >
> > Dinis Cruz
> > IT Security Consultant
> > DDPlus
> > dinis@ddplus.net
> >
> >
> >
> > "al" <news@thispartisfake-13c.com> wrote in message
> news:<uIi6rPqGDHA.2196@TK2MSFTNGP11.phx.gbl>...
> > > It is not solved but If you do a search for NETWORK INTERACTIVE
> FRONTPAGE or
> > > SECURE SHARED HOSTING FRONTPAGE in the archives with google you can find
> > > many of my rants, a work around and relief when I found out the version
> with
> > > 2003 has an ISP grade solution. I do not know if they will include this
> > > switch in the next patch of the extensions. It does not seem to be
> wedded to
> > > any IIS 6 specific functionality but I know the IIS 6 version is
> different
> > > internally. I support you in your efforts, make some noise!
> > >
> > > al
> > >
> > > "Dinis Cruz" <dinis@ddplus.net> wrote in message
> > > news:701fd6b6.0305111335.2b57a9e7@posting.google.com...
> > > > Hello
> > > >
> > > > I would like to ask this group if this problem (the fact that FP2002
> > > > adds the NETWORK and the INTERACTIVE accounts to the directories used
> > > > by FP webs) is solved? (via a service pack or security patch)
> > > >
> > > > I work for a security company and we are working on a solution for the
> > > > security problems with Shared Hosting in IIS 5.0 .
> > > >
> > > > I know that (apparently) Windows 2003 solves this problem, but at the
> > > > moment upgrading is not an option (upgrading is very hard when you
> > > > have servers hosting 500+ websites).
> > > >
> > > > I agree with the previous posts in this newsgroup that this is a very
> > > > serious problem. We are currently writing a "ISP Guide to securely
> > > > implement IIS 5.0 in a shared hosting environment" and the ways to
> > > > exploit this problem (via FSO for example) are quite frightening.
> > > >
> > > > Thanks for the Support
> > > >
> > > > Dinis Cruz
> > > > IT Security Consultant
> > > > www.ddplus.net
- Next message: Jim: "automatic logon to a site....."
- Previous message: Matjaz Ladava: "Re: machine.config on Windows Server 2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
