RE: Warning: Security Hole With IIS Tomcat
I would have to say probably not. The exploit that we saw a few weeks ago was that you can send IIS a command to go .. outside of the inetpub directory (thus going above the root). If you have the default installation, and inetpub is on the same drive as your WinNT partion, it allows the hacker to run cmd.exe, from which they can do just about whatever they want. The solution to this problem is to have inetpub on a different drive from your WinNT directory. Randy -Original Message- From: Russell, Steve [mailto:[EMAIL PROTECTED]] Sent: Friday, July 27, 2001 9:47 AM To: '[EMAIL PROTECTED]' Subject: Warning: Security Hole With IIS Tomcat Hi; My company is running a jsp site on IIS 5 with windows 2000, and all of the security patches. We discovered that if we use tomcat or jrun 2.3.3 with IIS that that we have to set up the tomcat ( or jrun ) directories as virtual directories ___with execute permissions turned on__. This got us hacked into. I don't understand how. It has something to do with how IIS handles malformed urls leaving IIS open to attacks if directories associated with a web site have execute permissions granted. Does Apache have a similar vulnerability? Steve Russell Web Developer III ValueOptions - Lifescape 703-205-6589 [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. **
RE: Warning: Security Hole With IIS Tomcat
Our tomcat directory is C:\Tomcat Its outside of the inetpub heirarchy, but it is set up in IIS as a virtual directory with execute permissions open. Can hackers still exploit the malformed url handling in IIS with this set up? Steve Russell Web Developer III ValueOptions - Lifescape 703-205-6589 [EMAIL PROTECTED] -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Friday, July 27, 2001 9:26 AM To: [EMAIL PROTECTED] Subject: RE: Warning: Security Hole With IIS Tomcat I would have to say probably not. The exploit that we saw a few weeks ago was that you can send IIS a command to go .. outside of the inetpub directory (thus going above the root). If you have the default installation, and inetpub is on the same drive as your WinNT partion, it allows the hacker to run cmd.exe, from which they can do just about whatever they want. The solution to this problem is to have inetpub on a different drive from your WinNT directory. Randy -Original Message- From: Russell, Steve [mailto:[EMAIL PROTECTED]] Sent: Friday, July 27, 2001 9:47 AM To: '[EMAIL PROTECTED]' Subject: Warning: Security Hole With IIS Tomcat Hi; My company is running a jsp site on IIS 5 with windows 2000, and all of the security patches. We discovered that if we use tomcat or jrun 2.3.3 with IIS that that we have to set up the tomcat ( or jrun ) directories as virtual directories ___with execute permissions turned on__. This got us hacked into. I don't understand how. It has something to do with how IIS handles malformed urls leaving IIS open to attacks if directories associated with a web site have execute permissions granted. Does Apache have a similar vulnerability? Steve Russell Web Developer III ValueOptions - Lifescape 703-205-6589 [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. **
RE: Warning: Security Hole With IIS Tomcat
Our tomcat directory is C:\Tomcat Its outside of the inetpub heirarchy, but it is set up in IIS as a virtual directory with execute permissions open. Can hackers still exploit the malformed url handling in IIS with this set up? I don't believe that the virtual dir will allow the traversal to parent directories but don't take my word for it. You could always give it a test yourself. BTW, one solution is to leave tomcat installed on C: but move your webapps to another dir along with inetpub. In server.xml you can set your context docbase, i.e. Context path=/ docBase=d:/webapps/Context --- Michael Wentzel Software Developer Software As We Think - http://www.aswethink.com
