IIS and Zope share same problem :-S
MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE by Dave Murphy, member@itrain.org
Microsoft is scrambling to repair damage caused by a security hole in its IIS 4 & 5 webserver that runs on Windows NT/2000. Microsoft claims over four million IIS websites, and each one of them is at risk of releasing sensitive data through the security hole. Called the "Web Server Folder Traversal" error, the flaw allows users to execute files on an IIS website by requesting a specific web address.
http://www.zope.org/standard_html_header for example ;-) http://www.zope.org/objectIds as another...
The bug allows access to any file on the webserver via a specified URL. Like all webservers, IIS is supposed to prevent access to files that aren't intended to be part of the website.
Maybe Zope should too....
This article is posted to http://itrain.org/itinfo/2000/it001017.html
Live well, do good,
--Dave Murphy
cheers, Chris
+-------[ Chris Withers ]---------------------- | > MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE | > by Dave Murphy, member@itrain.org | > | > Microsoft is scrambling to repair damage caused by a | > security hole in its IIS 4 & 5 webserver that runs on | > Windows NT/2000. Microsoft claims over four million | > IIS websites, and each one of them is at risk of | > releasing sensitive data through the security hole. | > Called the "Web Server Folder Traversal" error, the | > flaw allows users to execute files on an IIS website by | > requesting a specific web address. | | http://www.zope.org/standard_html_header for example ;-) Not that old chestnut again... | http://www.zope.org/objectIds as another... To be fair this is not the same as the bug described below. | | > The bug allows access to any file on the webserver via | > a specified URL. Like all webservers, IIS is supposed | > to prevent access to files that aren't intended to be | > part of the website. Knowing the file is there is not the same as accessing it. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|
Andrew Kenneth Milton wrote:
| | http://www.zope.org/standard_html_header for example ;-)
Not that old chestnut again...
Yes, that old chestnut again. If it's considered a serious security flaw by Microsoft, maybe the Zope community should finally do something to solve it. ...and yes, there are discussions about this on Zope-dev right now, which will hopefully produce a solution :-) cheers, Chris
As I already suggested ages ;) ago (and still didn't put into practice) it would here again be best to deny everything that isn't explicitly allowed (e.g. allow whatever ends with _html or .html and deny everything else) but then I would have to go over the whole website and make bazillions of changes ... I fixed the problem temporarily by adding some "FilesMatch/LocationMatch + deny from all" in my httpd.conf. But what else do I have to deny apart from objectIds? Ragnar
Andrew Kenneth Milton wrote:
| | http://www.zope.org/standard_html_header for example ;-)
Not that old chestnut again...
Yes, that old chestnut again. If it's considered a serious security flaw by Microsoft, maybe the Zope community should finally do something to solve it.
...and yes, there are discussions about this on Zope-dev right now, which will hopefully produce a solution :-)
cheers,
Chris
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Chris Withers wrote:
Andrew Kenneth Milton wrote:
| | http://www.zope.org/standard_html_header for example ;-)
Not that old chestnut again...
Yes, that old chestnut again. If it's considered a serious security flaw by Microsoft, maybe the Zope community should finally do something to solve it.
...and yes, there are discussions about this on Zope-dev right now, which will hopefully produce a solution :-)
cheers,
As soon as you can tell us how to get Zope to go executing _files_ on the server (read, in the filesystem), as opposed to objects in the site.... I might accept it as the same bug. :^)= Then-again,-I-might-_use_-that-capability-if-I-could-ly y'rs Bill -- E PLURIBUS LINUX
On Fri, 20 Oct 2000, Chris Withers wrote:
Andrew Kenneth Milton wrote:
| http://www.zope.org/standard_html_header for example ;-)
Not that old chestnut again...
Yes, that old chestnut again. If it's considered a serious security flaw by Microsoft, maybe the Zope community should finally do something to solve it.
...and yes, there are discussions about this on Zope-dev right now, wwhich will hopefully produce a solution :-)
Now, I may be missing the point of the fine grained access control of ZOPE, but knowing an objects ID is not at all the same as being able to access it, or even invoke it correctly. The MS bug "allows access to any file on the webserver". Whilst in ZOPE you may be able to enter the URL and invoke the object to some degree, unless you have the permissions to do whatever it does, what harm can you do? To me, this seems like more of a "patch by sensible admin" problem than a security hole.
cheers,
Chris
Have a better one, Curtis Maloney.
Hum... A possible way to solve this problem is to practice the "you can't do ANYTHING but..." policy... And, thus, according proxy roles to the methods that must access it, such as index_html. I know it's constraining but with a little work we can end up with something quite secure & secret. P.-J. Chris Withers wrote:
MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE by Dave Murphy, member@itrain.org
Microsoft is scrambling to repair damage caused by a security hole in its IIS 4 & 5 webserver that runs on Windows NT/2000. Microsoft claims over four million IIS websites, and each one of them is at risk of releasing sensitive data through the security hole. Called the "Web Server Folder Traversal" error, the flaw allows users to execute files on an IIS website by requesting a specific web address.
http://www.zope.org/standard_html_header for example ;-) http://www.zope.org/objectIds as another...
The bug allows access to any file on the webserver via a specified URL. Like all webservers, IIS is supposed to prevent access to files that aren't intended to be part of the website.
Maybe Zope should too....
This article is posted to http://itrain.org/itinfo/2000/it001017.html
Live well, do good,
--Dave Murphy
cheers,
Chris
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- If the only tool you have is a hammer, you tend to see every problem as a nail. Si le seul outil dont vous disposez est un marteau, vous avez tendance à voir chaque problème comme un clou. --Abraham Maslow
Pierre-Julien Grizel wrote:
Hum... A possible way to solve this problem is to practice the "you can't do ANYTHING but..." policy... And, thus, according proxy roles to the methods that must access it, such as index_html. I know it's constraining but with a little work we can end up with something quite secure & secret.
It's not secret, you can still use /objectIds and /objectValues to find out about things... Secure, yes it is that. But, it's a lot more than a little work. What I was suggesting was something to do the grunt work of all this with the same outcome. oh well... Chris
participants (6)
-
Andrew Kenneth Milton -
Bill Anderson -
Chris Withers -
Curtis Maloney -
Pierre-Julien Grizel -
Ragnar Beer