Bugtraq mailing list archives
Re: I.I.S and Security - No authentication of scripts.
From: gregh () INSTINCTIVE COM (Greg Haverkamp)
Date: Thu, 6 Mar 1997 14:57:27 -0500
Well, I just spent the better part of today looking at this. Fortunately, I came in late. :) At 04:44 PM 3/5/97 GMT, you wrote:
This may have be mentioned on the BUGTRAQ mailing list, but I couldn't find it. The information is supplied as quoted by Chris Borneman. I've had some problems trying to verify this on the DEC Alpha version of I.I.S 3.0
I've not seen it before. I've been able to replicate this under circumstances certain circumstances. I feel comfortable that I've isolated a some relatively obscure cases when this will happen. Incidentally, I'm running Peer Web Services with Active Server Pages. So, I'm not an exact match, but I'm pretty close.
-------------------------------------------------------------------- When securing your site based on membership (who you are, not where you are located), IIS turns to NTFS and the security access associated with the file. For instance, in IIS you have the ability to say "Allow Anonymous". This is used in conjuction with the "Anonymous Logon". The reason is simple, and file that can be accessed by the account specified in "Anonymous Logon" can be accessed by any Web user hitting your site.
[...]
If the credentials match the access to the file in question, the file is sent. Try this for yourself. Create a directory under your wwwroot and use the NT Explorer to revoke rights on that directory and any subdirectory and only allow the SYSTEM and your specific account access (make sure it isn't the IUSR_machine_name account. Place an htm file in that directory, then access from Internet Explorer. You'll be asked to give your user name and password (assuming you allow Basic Authentication and turn off Windows NT Challenge/Response).
Yup. This works. Just as I would expect it to.
However, if you do the same for a script, IIS still _executes_ it and sends back the results. This isn't an issue of "Read" vs. "Execute". The script isn't readable. The directory I'm dealing with has "Read" off and "Execute" on. However, the script also shouldn't be accessible or ran until I provide my credentials, and that is the SECURITY HOLE. Netscape's Server does this _correctly_, so why not Microsoft?
If I look at the HTML file, go back to Internet Service Manager and change permissions to Execute only, and then go to execute, I will not be prompted. My username and password are cached as expected. Kill Internet Explorer. Start it back up. Point it to http://mymachine/passtest/passtest.exe, and I am prompted for a username and password. Enter it, and the script runs. If the file I am accessing is of a certain type (.exe, .asp, or .pl) I have no problem. When I try .plx (for the PerlIS.dll), the script will never be executed.
IIS is supposed to access _every_ file within the thread context of either anonymous, or the specific Web user. IIS does this for all non-script files. However, it does not for script files.
Unless this is very specific to IIS (i.e., doesn't work with Peer Web Services w/ASP), this does not appear to be a reproducible problem. If anyone else is trying this, be absolutely certain you close IE after looking at static pages. Greg
Current thread:
- Bug in connect() for aix 4.1.4 ? Cahya Wirawan (Mar 05)
- Re: Bug in connect() for aix 4.1.4 ? Steve Campbell (Mar 05)
- I.I.S and Security - No authentication of scripts. daragh_malone () TELECOM IE (Mar 05)
- Re: I.I.S and Security - No authentication of scripts. Greg Haverkamp (Mar 06)
- 4.4BSD NFS File Handles David Sacerdote (Mar 06)
- 4.4BSD NFS File Handles Aleph One (Mar 06)
- I.I.S 3.0: Another slight security concern ? daragh_malone () TELECOM IE (Mar 07)
- COLD FUSION BUG Bill Staples (Mar 07)
- Re: Bug in connect() for aix 4.1.4 ? Rikhardur Egilsson (Mar 05)
- Re: Bug in connect() for aix 4.1.4 ? Frank Hofmann (Mar 06)
- Re: Bug in connect() for aix 4.1.4 ? Ollivier Robert (Mar 06)
- Yet another Internet Explorer bug... Aleph One (Mar 06)
- I.I.S and Security - No authentication of scripts. daragh_malone () TELECOM IE (Mar 05)
- Re: Bug in connect() for aix 4.1.4 ? Steve Campbell (Mar 05)
- <Possible follow-ups>
- Re: Bug in connect() for aix 4.1.4 ? Steve Campbell (Mar 11)
- Re: Bug in connect() for aix 4.1.4 ? Valdis.Kletnieks () VT EDU (Mar 11)