Frontpage 2002 NETWORK security Problem

From: Dinis Cruz (dinis_at_ddplus.net)
Date: 05/11/03

  • Next message: PL: "Re: security in IIS use" 
    Date: 11 May 2003 12:01:04 -0700

    Hello

    I would like to ask this group if this problem (the fact that FP2002
    adds the NETWORK and the INTERACTIVE accounts to the directories used
    by FP webs) is solved? (via a service pack or security patch)

    I work for a security company and we are working on a solution for the
    security problems with Shared Hosting in IIS 5.0 .

    I know that (apparently) Windows 2003 solves this problem, but at the
    moment upgrading is not an option (upgrading is very hard when you
    have servers hosting 500+ websites).

    I agree with the previous posts in this newsgroup that this is a very
    serious problem. We are currently writing a "ISP Guide to securely
    implement IIS 5.0 in a shared hosting environment" and the ways to
    exploit this problem (via FSO for example) are quite frightening.

    Thanks for the Support

    Dinis Cruz
    IT Security Consultant
    www.ddplus.net

  • Next message: PL: "Re: security in IIS use"

    Relevant Pages

    • Re: Purple Paper: Exegesis Of Virtual Hosts Hacking
      ... hosted on a shared or on-site server, ... dedicated hosting is more secure than shared hosting. ... of security is far less than the one of most shared hosting users. ... customers - at about a thousand times more shared hosting customers ...
      (Bugtraq)
    • Re: Is allowing parent path a security issue in IIS ?
      ... Is the fact of allowing parent path in IIS a security issue? ... Is it a must for shared hosting accounts not to allow it? ...
      (microsoft.public.inetserver.iis)
    • Re: ASPNET User Problem in Shared Hosting Environment
      ... I am going to go berserk if they put .NET Server out with the FrontPage 2002 ... Extensions and ASP.NET security flaws. ... it is the whole premise of the change of direction Microsoft ... I got into the shared hosting with Microsoft Technology business because my ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Mac Server Hacked In Less Than 6 Hours
      ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ...
      (sci.crypt)
    • Re: DCOM calls fails - access denied
      ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
      (microsoft.public.dotnet.framework.aspnet.security)