Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Jay Woody (jay_woodytnb.com)
Date: Wed May 30 2001 - 17:12:00 CDT
Some directories point to the same drive that the OS is installed on by default. For instance, you put the OS on C and run IIS from D and you think you're safe. You will find that MSADC points to whatever drive the OS is on. All we need is an directory transversel exploit that points to MSADC rather than SCRIPTS and the OS is compromised by default. I'm sure there are more.
I am not aware of a way to change from the d to c drive in the URL, but I am aware of ways to start at C, even if IIS is on D.
You are right. This does help DRAMATICALLY, but it doesn't stop 100%.
>>> "Ryan Counts" <webmasterbadsushi.com> 05/29/01 06:33PM >>>
Here's a question. Why not just have all the web sites running on a
separate partition from the OS partition? Every vulnerability I've seen
in IIS relies on the directory structure pretty much being unchanged
from the OS installation. However, I have yet to see one that allows
the malicious user to change drives in the URL parameter. Please
correct me if I'm wrong, but this seems like a relatively simple
solution, not to mention is eases other maintenance procedures like
CTO - Netgrowth Inc.
From: Ben Greenbaum [mailto:bgreenbaumsecurityfocus.com]
Sent: Monday, May 28, 2001 5:38 PM
Subject: RE: Why remove default web? (was RE: IIS 5.0)
> Wouldn't another strategy be to just set the default web site to some
> numbered port, and not allow that port through the firewall? That
> there is no possible way to access the default site.
That would definitely be another strategy. Many people would describe
strategy as "bad" :) Why leave an unneeded and vulnerable service
at all? Putting it behind a firewall helps, sure - until somebody finds
way through or around your firewall. Then they own that box pretty much
right away. Switching the port will delay the compromise for as long as
it takes the attacker to run a port scan.
I can't think of a legit business reason for leaving it, but I suppose
it was truly needed for some reason (?) that strategy would be better
Director of Product Development - SIA/VulDB