lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030619141202.24441.qmail@www.securityfocus.com>
Date: 19 Jun 2003 14:12:02 -0000
From: thomas adams <tgadams@...lsouth.net>
To: bugtraq@...urityfocus.com
Subject: SurfControl Web Filter for Microsoft ISA Server Vulnerability




SurfControl Web Filter for Microsoft ISA Server Vulnerability


Package:		SurfControl Web Filter for Microsoft ISA
Vendor Web Site:	http://www.surfcontrol.com
Version: 		4.2.0.21
Platforms: 		Windows 2000 Server		
Local:			No
Remote: 		Yes
Fix Available:		No (recommended steps listed below)
Vendor Contacted: 	Sunday, June 08, 2003 
Advisory Author:	Thomas Adams (tgadams@...lsouth.net)



Background:
SurfControl Web Filter is a url filtering system, designed to be easily 
deployed onto most networks. SurfControl for Microsoft ISA is a plugin 
the allows the Microsoft ISA server to have more control over the 
internet usage. The plugin still allows most of the same benefits from 
the stand alone product including: customizable reporting, easy admin 
interface, and the remote interface for report retrieval.


Exploit:
An attacker is able to view/download any file from the server using a 
directory traversal attack:

http://isa-surfserver:8888/.../.../.../.../winnt/ 


Vendor Response:
SurfControl team was notified concerning the above vulnerability. 
SurfControl had previous knowledge that this existed on the stand alone 
SurfControl platforms, but did not know it existed on the plugin for 
Microsoft ISA. They recommended disabling the reports server and said it 
is turned on by default for "convenience to users."  Convenience before 
security from a leader in filter products? 

To disable the report server, go to Admin Tools> Services> and stop 
SurfControl Web Filter Report Server


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ