Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

Microsoft IIS Multiple Extensions Security Bypass Clarifications

Get this blog as an RSS Feed
The vulnerability described in SA37831 has recently raised some questions due to Microsoft avoiding to acknowledge it as a security risk.
12:33 CET on the 30th December 2009
Entry written by Alin Rad Pop.

The vulnerability described in SA37831 has recently raised some questions due to Microsoft avoiding to acknowledge it as a security risk.

Secunia views this issue as a vulnerability from the perspective of an administrator running a web application, which allows users to upload files to a certain directory. Upload scripts normally restrict uploaded file types by allowing only files having e.g. the ".jpg" or ".gif" extension to be uploaded.

This vulnerability allows an attacker to completely bypass these types of otherwise sound restrictions, allowing the upload of arbitrary files, which are interpreted by IIS as e.g. ASP scripts. While we agree that removing "execute" permissions for upload directories is best practice and a good Defense-in-Depth approach, administrators relying on the restrictions imposed by the upload script are at risk without expecting it.

Additionally, it should be noted that setting "write" permissions for the upload directory, as required by upload scripts, does not warn administrators or automatically remove already set "execute" permissions from that directory to protect against what Microsoft refers to as a poor configuration.

For the reasons stated above and due to the additional requirement of having an upload script installed, SA37831 was released with a potential "System access" impact and a "Less critical" rating.

While administrators are encouraged to follow best practices, we believe that referring to the documentation is not enough for a vendor to fully mitigate an unexpected behaviour that clearly has a security impact and allows bypassing of third-party restrictions otherwise believed to be secure.

As a comment to the latest response made by Microsoft and the quote: "The IIS folks are evaluating a change to bring the behavior of IIS 6.0 in line with the other versions", Carsten Eiram, Chief Security Specialist at Secunia, had the following comment:

"It seems that while Microsoft attempts to put the blame on their customers for not configuring their IIS servers according to best practises, then they still do acknowledge that there is a problem and will be fixing it. So, it ultimately seems like we're just discussing semantics and whether Microsoft prefers to call this a "vulnerability", "weakness", "feature", or something else is up to them as long as they plan on issuing a (security) fix".


Stay Secure,

Alin Rad Pop
Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Microsoft IIS Multiple Extensions Security Bypass Clarifications
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability