marcEEYE.COM

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

| -----Original Message-----
| From: Windows NTBugtraq Mailing List
| [mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of Microsoft Security
| Response Center
| Sent: Thursday, December 21, 2000 9:01 PM
| To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
| Subject: Re: Another buffer overflow on IIS
<snip>
| In order for this ASP code to execute, it must reside on the local
| webserver in question. If the malicious user had the ability to
| upload code to the webserver, "unpleasant things can happen".
| Allowing untrusted users to upload code to a webserver is discussed
| in Rule #4 from the Ten Immutable Laws of Security:
| http://www.microsoft.com/technet/security/10imlaws.asp#d
|
| Regards,
|
| SecureMicrosoft.com

So taking that stance... what are web hosting companies suppose to do about
a person who pays 20 bucks to get an account, uploads a file and takes down
the X number of other people hosted on that same server? Or maybe someone
does not go and buy and account... instead one domain on a server with X
number of domains is incorrectly setup to allow file uploads via a poorly
written ASP script that allows people to upload to that insecure domain...
now, because we have no local security, all of those domains are screwed. I
know that in a Unix environment (if things are setup correctly) someone
getting access to one domain does not have to mean the end of the world for
the rest of the domains in a multi-homed environment.

An IIS server should not so easily fall over if someone gets the ability to
execute as IUSR_MACHINE.... Look at Apache... just because someone breaks in
via Apache (running as "nobody") that does not have to lead to the entire
system being compromised or taken off line.

Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com

"There was a new API released today.... RevertToSystem()"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]