lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <50054229.1000807@vevida.com>
Date: Tue, 17 Jul 2012 12:44:57 +0200
From: Jan Reilink <janreilink@...ida.com>
To: king cope <isowarez.isowarez.isowarez@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Unpatched IIS Vulnerabilities / Microsoft
 July Security Bulletin

[Hope this doesn't get double posted, removed bugtraq@...urityfocus.com]

Hi,

Op 16-7-2012 19:24, king cope schreef:
> Hi Lists,

[...]
> The posting included some important bugs in the Internet Information
> Services, one of their
> flagship products:
> http://seclists.org/fulldisclosure/2012/Jun/189
> 

Nice find. Somehow I missed your e-mail from the 10th of June...

Anyway, a proper configured IIS web server has its Request Restrictions
(resourceType) set to 'File' in the PHP handler. Having this not
configured, it can give you some nasty error messages ("No input file
specified", if the requested file doesn't exist)

If not configured, fix it with appcmd:

appcmd set config /section:system.webServer/handlers
"-+[name=`'PHP`',path=`'*.php`',verb=`'*`',modules=`'FastCgiModule`',scriptProcessor=`'path\to\php-cgi.exe`',resourceType=`'File`']"

if you're unable to (maybe because you're a user, not an admin), you can
deny certain URL sequences using IIS URL Rewrite or Helicon ISAPI_Rewrite:

RewriteEngine On
# DenyPHPafterASPX
RewriteCond %{REQUEST_URI} ^/(.*\.aspx)/(.*\.php)$ [NC]
RewriteRule .? / [F,L]

<rewrite>
  <rules>
    <rule name="DenyPHPafterASPX" stopProcessing="true">
      <match url=".?" ignoreCase="false" />
      <conditions logicalGrouping="MatchAll">
        <add input="{URL}" pattern="^/(.*\.aspx)/(.*\.php)$" />
      </conditions>
      <action type="CustomResponse" url="/" statusCode="403"
statusReason="Forbidden" statusDescription="Forbidden" />
    </rule>
  </rules>
</rewrite>

these are workarounds, not fixes.

I can't reproduce authentication bypass vulnerabilities you mention.
Also, there is more than one way to password protect a directory. Did
you disable 'anonymous authentication' in IIS 6.0/7.5, or did you remove
or deny IUSR-user NTFS permissions on the file system?

Regards,

Jan Reilink
VEVIDA Services
http://vevida.com


Download attachment "signature.asc" of type "application/pgp-signature" (261 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ