RE: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
> > The CFM file is always executed within the context of > > the CF server, no matter what. Of course, you should > > limit the privileges of the account in which CF runs > > to the extent possible. > > > Which normally is the Localsystem account, which will > grant CFMX all access. Running CFMX under a different > user isn't as easy as it might seem. Just changing the > usercontext didn't do the trick here, it requires a > bunch of registry/ACL changes too. I found it very easy to run CFMX under a less-privileged user account, compared to CF 5 and earlier versions. I didn't have to make any registry changes, but of course I had to change the appropriate filesystem ACLs. But still, the whole thing took me all of about five minutes. I just granted RWXD to the \CFusionMX directory and its subdirectories (admittedly this could be tightened considerably) and read rights to the web root containing .cfm files. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
> > >>Does anyone know how this exploit is exploited? >> >> > >No, and I can't replicate it with my current configuration - web server >authentication seems to work fine for me. As I posted in another message, I >suspect it has to do with the JRun connector configuration; I'm using the >ISAPI extension option instead of the ISAPI filter. > If you have the ISAPI filer on, and haven't checked the "file exists" then your username/password are negated, and all requests to .cfm file are handled under the Coldfusion MX user context regardless of what you enetered. >>What context is the CFM template executed under? >> >> > >The CFM file is always executed within the context of the CF server, no >matter what. Of course, you should limit the privileges of the account in >which CF runs to the extent possible. > Which normally is the Localsystem account, which will grant CFMX all access. Running CFMX under a different user isn't as easy as it might seem. Just changing the usercontext didn't do the trick here, it requires a bunch of registry/ACL changes too. >>Is the application.cfm file still executed? >> >> > >I would assume so. Of course, since I haven't replicated the problem, I >can't say for sure. > Yes it is. Jesse ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
Jochem van Dieten wrote: >[EMAIL PROTECTED] wrote: > > >>Well, for an administrative tools directory, off the root of a site. If the >>ACL's deny access to the IUSR account, any unauthenticated user is prompted >>to enter their username/password to access the cfm files within that >>directory (or if the files them self have these ACL's). >> >> > >It is my understanding that unless you switch on "Check that file >exists" nobody is asked for their u/p. > > One does get asked, but any username/pass is accepted (empty too), as CFMX doesn't do an ACL check, it just accepts the ucsername/pass. Jesse ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
Dave Watts wrote: >> It is my understanding that unless you switch on "Check >> that file exists" nobody is asked for their u/p. > > This is not necessarily the case. I've been successfully using web server > authentication (both Basic and Windows Authentication) with IIS 5 and CFMX. > > I suspect that it has to do with the way that the JRun connector is > configured. On my test machine, I'm using the ISAPI extension. I suspect > that if I instead used the ISAPI filter, I'd run into the problem, but don't > have time to test that theory right now. Filters may take over control of a request before authentication, while extensions are always after authentication. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iisref/html/psdk/asp/isgu744y.asp > If any Macromedia people want to shed more light on the nature of the IIS > authentication problem, I'd appreciate it. I would like to know what event notifications are used by the jrun filter and what SF_STATUS code it returns. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
> Yikes - that would mean we would have to recode basically > every app we have ever made that has and web accessible > admin directory. Do you think it would be safe to use a > cold fusion scripted login routine instead of ACL's and > WIndows Authentication. Why couldn't you just enable the "Check that file exists" option within the web-accessible admin directory? That doesn't need to use search-engine-safe URLs, does it? > I recall seeing recently that web based admin's getting > hacked was one of the top security vulnerabilities with > web apps. I can't vouch for that, but it sounds plausible enough. But there's a lot you can do to secure administrative functionality, in addition to requiring a login. You can place it within its own virtual server, so that people are less likely to find it; you can limit who can access it by IP address; you can limit who can access it by requiring client certificates. You can use all of these techniques together, of course. > Does anyone know how this exploit is exploited? No, and I can't replicate it with my current configuration - web server authentication seems to work fine for me. As I posted in another message, I suspect it has to do with the JRun connector configuration; I'm using the ISAPI extension option instead of the ISAPI filter. > What context is the CFM template executed under? The CFM file is always executed within the context of the CF server, no matter what. Of course, you should limit the privileges of the account in which CF runs to the extent possible. > Is the application.cfm file still executed? I would assume so. Of course, since I haven't replicated the problem, I can't say for sure. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
> It is my understanding that unless you switch on "Check > that file exists" nobody is asked for their u/p. This is not necessarily the case. I've been successfully using web server authentication (both Basic and Windows Authentication) with IIS 5 and CFMX. I suspect that it has to do with the way that the JRun connector is configured. On my test machine, I'm using the ISAPI extension. I suspect that if I instead used the ISAPI filter, I'd run into the problem, but don't have time to test that theory right now. Oddly enough, since installing Updater 2, I can't run wsconfig.exe to configure the connector. If I try, I get this: Exception in thread "main" java.lang.NoSuchMethodError: jrunx.connectorinstaller.CIUtil.unquoteString(Ljava/lang/String;)Ljava/lang/ String; at jrunx.connectorinstaller.PropertyFileEditor.nextFullEntry(PropertyFileEditor .java:96) at jrunx.connectorinstaller.gui.ConfigFrame.getConfigList(ConfigFrame.java:191) at jrunx.connectorinstaller.gui.ConfigFrame.getConfigPanel(ConfigFrame.java:132 ) at jrunx.connectorinstaller.gui.ConfigFrame.(ConfigFrame.java:90) at jrunx.connectorinstaller.gui.ConfigFrame.run(ConfigFrame.java:384) at jrunx.connectorinstaller.ConnectorInstaller.main(ConnectorInstaller.java:536 ) When I run wsconfig.jar directly, it displays the wsconfig GUI, but won't allow me to configure any web servers. I imagine that it might work if run with command-line parameters. If any Macromedia people want to shed more light on the nature of the IIS authentication problem, I'd appreciate it. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
I don't see that happening. I am still prompted for a u/p. Maybe because the server does not have Updater 2 installed. I'll doublecheck - thanks. brook At 01:12 AM 2/3/2003 +0100, you wrote: >[EMAIL PROTECTED] wrote: > > Well, for an administrative tools directory, off the root of a site. If > the > > ACL's deny access to the IUSR account, any unauthenticated user is > prompted > > to enter their username/password to access the cfm files within that > > directory (or if the files them self have these ACL's). > >It is my understanding that unless you switch on "Check that file >exists" nobody is asked for their u/p. > >Jochem > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
[EMAIL PROTECTED] wrote: > Well, for an administrative tools directory, off the root of a site. If the > ACL's deny access to the IUSR account, any unauthenticated user is prompted > to enter their username/password to access the cfm files within that > directory (or if the files them self have these ACL's). It is my understanding that unless you switch on "Check that file exists" nobody is asked for their u/p. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
Well, for an administrative tools directory, off the root of a site. If the ACL's deny access to the IUSR account, any unauthenticated user is prompted to enter their username/password to access the cfm files within that directory (or if the files them self have these ACL's). Is that enough security for a password protected directory. An attacker would still have to guess/brute force the password to gain access to those files/directories right? Brook At 11:18 PM 2/2/2003 +0100, you wrote: >[EMAIL PROTECTED] wrote: > > If the ACL's rules still apply, are they enough to use to restrict access? > >Could you elaborate? What do you want to do? > >Jochem > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
[EMAIL PROTECTED] wrote: > If the ACL's rules still apply, are they enough to use to restrict access? Could you elaborate? What do you want to do? Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
If the ACL's rules still apply, are they enough to use to restrict access? At 10:42 PM 2/2/2003 +0100, you wrote: >[EMAIL PROTECTED] wrote: > > Yikes - that would mean we would have to recode basically every app we > have > > ever made that has and web accessible admin directory. Do you think it > > would be safe to use a cold fusion scripted login routine instead of ACL's > > and WIndows Authentication. > >If you can write a decent login it should be no problem. > > > > Does anyone know how this exploit is exploited? What context is the CFM > > template executed under? Is the application.cfm file still executed? > >Think of it as a priorities issue. Until CF MX the priority of the IIS >security filter was higher as the priority of CF, so first the IIS >security was checked and then the control was passed on to the CF Service. >Now with CF MX the priority of the filter that intercepts for CF MX and >and redirects them to CF MX is higher as the priority of the IIS >Security filter. So the request is passed on to the CF MX service before >IIS security settings are checkd. But it is still a normal request, and >all the normal ACL rules still apply. > >Jochem > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
[EMAIL PROTECTED] wrote: > Yikes - that would mean we would have to recode basically every app we have > ever made that has and web accessible admin directory. Do you think it > would be safe to use a cold fusion scripted login routine instead of ACL's > and WIndows Authentication. If you can write a decent login it should be no problem. > Does anyone know how this exploit is exploited? What context is the CFM > template executed under? Is the application.cfm file still executed? Think of it as a priorities issue. Until CF MX the priority of the IIS security filter was higher as the priority of CF, so first the IIS security was checked and then the control was passed on to the CF Service. Now with CF MX the priority of the filter that intercepts for CF MX and and redirects them to CF MX is higher as the priority of the IIS Security filter. So the request is passed on to the CF MX service before IIS security settings are checkd. But it is still a normal request, and all the normal ACL rules still apply. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
Yikes - that would mean we would have to recode basically every app we have ever made that has and web accessible admin directory. Do you think it would be safe to use a cold fusion scripted login routine instead of ACL's and WIndows Authentication. I recall seeing recently that web based admin's getting hacked was one of the top security vulnerabilities with web apps. Does anyone know how this exploit is exploited? What context is the CFM template executed under? Is the application.cfm file still executed? Brook At 03:14 PM 2/2/2003 -0500, you wrote: > > Is there any way to use the "check that file exists" > > setting in IIS while using SES URL's. > > > > Example: http:www.mysite.com/index.cfm/fuseaction/display/ > >No, I don't think so, since the file doesn't actually exist! > >Dave Watts, CTO, Fig Leaf Software >http://www.figleaf.com/ >voice: (202) 797-5496 >fax: (202) 797-5444 > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
> Is there any way to use the "check that file exists" > setting in IIS while using SES URL's. > > Example: http:www.mysite.com/index.cfm/fuseaction/display/ No, I don't think so, since the file doesn't actually exist! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
Ok Thanks :) I guess my next question is: Is there any way to use the "check that file exists" setting in IIS while using SES URL's. Example: http:www.mysite.com/index.cfm/fuseaction/display/ Brook At 05:05 AM 2/2/03 +, you wrote: >Forgot to include another link that may help you > >http://www.securitytracker.com/alerts/2003/Jan/1006023.html > >Cheers > > > --- [EMAIL PROTECTED] wrote: > Hello Weekenders, > > > > I'm sure most of you got the MM Security bulletin > > the other day > > (http://www.macromedia.com/security). I am trying to > > figure out what the > > security breach is if the steps outlines in the > > Security Bulletin are not > > taken. It doesn't describe what level of access an > > attacker could gain > > through this exploit. And since we use the SES Url's > > > > (mysite.com/index.cfm/myvar/myvarvalue/), I can not > > easily implement this > > security fix because checking the "check that file > > exists" box in IIS > > causes 404's since, the file name is buried in the > > query string. > > > > So If any one can fill me in on the severity of this > > exploit and then I can > > appropriately decide if I need to make some serious > > changes to multiple > > sites or find an alternative. > > > > Thanks > > > > Brook Davies > > maracasmedia > > > > > > > >__ >Do You Yahoo!? >Everything you'll ever need on one web page >from News and Sport to Email and Music Charts >http://uk.my.yahoo.com > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
Forgot to include another link that may help you http://www.securitytracker.com/alerts/2003/Jan/1006023.html Cheers --- [EMAIL PROTECTED] wrote: > Hello Weekenders, > > I'm sure most of you got the MM Security bulletin > the other day > (http://www.macromedia.com/security). I am trying to > figure out what the > security breach is if the steps outlines in the > Security Bulletin are not > taken. It doesn't describe what level of access an > attacker could gain > through this exploit. And since we use the SES Url's > > (mysite.com/index.cfm/myvar/myvarvalue/), I can not > easily implement this > security fix because checking the "check that file > exists" box in IIS > causes 404's since, the file name is buried in the > query string. > > So If any one can fill me in on the severity of this > exploit and then I can > appropriately decide if I need to make some serious > changes to multiple > sites or find an alternative. > > Thanks > > Brook Davies > maracasmedia > > > __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: MPSB03-02 - Using Windows NT Authentication and Windows file permissions
My understanding of this was that anybody could run the CFM template regardless of their NTFS file permissions, for that template. Cheers --- [EMAIL PROTECTED] wrote: > Hello Weekenders, > > I'm sure most of you got the MM Security bulletin > the other day > (http://www.macromedia.com/security). I am trying to > figure out what the > security breach is if the steps outlines in the > Security Bulletin are not > taken. It doesn't describe what level of access an > attacker could gain > through this exploit. And since we use the SES Url's > > (mysite.com/index.cfm/myvar/myvarvalue/), I can not > easily implement this > security fix because checking the "check that file > exists" box in IIS > causes 404's since, the file name is buried in the > query string. > > So If any one can fill me in on the severity of this > exploit and then I can > appropriately decide if I need to make some serious > changes to multiple > sites or find an alternative. > > Thanks > > Brook Davies > maracasmedia __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4