Vulnerability Development mailing list archives
IIS4 / WAP vulnerability?
From: bbl () AVENIR NO (Bjørnar B. Larsen)
Date: Fri, 25 Feb 2000 18:38:22 +0100
Is there a way that IIS4 may bypass NTFS rights? WAP server: NT4 sp6a + all hotfixes; IIS4 + all hotfixes; Exchange 5.5 OWA SP3 (only the OWA part, it's not the actual Exchange server). What happened: 1. I connected to the WAP server with my Nokia WAP mobile phone, wanting to read e-mail. I logged on using my credentials. Got my email, started reading. 2. A friend sitting next to me connects to the same WAP server, but his Nokia WAP phone hangs before he gets to enter his password. 3. He reboots hos cellular, reconnects to the WAP server, is not asked for any username/password. Then he gets to read MY email! Setup of the WAP server: Virtual catalogue: execute (including script), anonymous access, basic authentication. NTFS rights: Domain Users:READ; Administrators:FULL; SYSTEM:FULL (note: IUSR_<machine> has no explicit access). I am at this time not sure if there's any special WAP parsers or similar installed. Usual ASP files are used, so I guess it's the ASP engine. Perhaps the default document gets sent regardless of NTFS rights? If so, IIS4's broken. Any suggestions how and why my friend got logged on as *me*? There's no reason why he should, even though I was the last to log on and still logged on, while he connected. Cheers, :) Bjørnar Ps. Needless to say I've turned off the WAP functionality and asked the developers to look into it. It would be nice to get an in-depth discussion going here, though.
Current thread:
- Re: Single SignOn Ben Grubin (Feb 24)
- <Possible follow-ups>
- Re: Single SignOn Vanna P. Rella (Feb 24)
- Re: Single SignOn Ben Grubin (Feb 24)
- Re: Single SignOn Diane Davidowicz (Feb 25)
- IIS4 / WAP vulnerability? Bjørnar B. Larsen (Feb 25)
- Re: Single SignOn Zev Lavon (Feb 25)
- Re: Single SignOn Erwin Geirnaert (Feb 28)