|
Posted by AI on July 12, 2006, 1:46 pm
Please log in for more thread options
Microsoft released security bulletin MS06-034, saying that there is a flaw in
ASP that could allow remote code execution. It's not clear to me from this
bulletin whether the exploit could only be used if the IIS server hosts a web
site that allows the user to upload files that IIS will execute, or whether
this can be done through web forms. For example, would an OWA server be
affected? Users can submit data through web forms, and they can upload files
as attachments, but not for processing as a script.
This bulletin on the one hand describes a vulnerability that, if I
understand correctly, would be exposed only in very rare case, but the tone
of the bulletin makes it sound like every IIS server is vulnerable and needs
to be patched.
|
|
Posted by Karl Levinson, on July 12, 2006, 2:28 pm
Please log in for more thread options
... note for example that the article and patch are rated as "Important"
rather than "Critical."
--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info
"AI" wrote:
> Microsoft released security bulletin MS06-034, saying that there is a flaw in
> ASP that could allow remote code execution. It's not clear to me from this
> bulletin whether the exploit could only be used if the IIS server hosts a web
> site that allows the user to upload files that IIS will execute, or whether
> this can be done through web forms. For example, would an OWA server be
> affected? Users can submit data through web forms, and they can upload files
> as attachments, but not for processing as a script.
>
> This bulletin on the one hand describes a vulnerability that, if I
> understand correctly, would be exposed only in very rare case, but the tone
> of the bulletin makes it sound like every IIS server is vulnerable and needs
> to be patched.
|
|
Posted by Karl Levinson, on July 12, 2006, 2:28 pm
Please log in for more thread options I'm not an expert at OWA on Exchange 2003. But the article made me believe
the risk is reduced with OWA and other IIS uses that do not allow users to
upload .ASP files that are then executed as .ASP script. I think it is true
that all IIS servers are potentially at risk and should be patched
eventually, but I feel the article gave me a realistic impression of the
necessary conditions and the amount of risk to OWA. For me, the relevant
part of the article here was:
• An attacker would require valid logon credentials to exploit this
vulnerability. However, if a server has been intentionally configured to
allow users, either anonymous or authenticated, to upload web content such as
.ASP pages to web sites, the server could be attacked successfully by
exploiting by this vulnerability.
• on IIS 6.0: If ASP is enabled, it runs in the context of a W3WP.exe worker
process running as the low privilege 'NetworkService' account.
--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info
"AI" wrote:
> Microsoft released security bulletin MS06-034, saying that there is a flaw in
> ASP that could allow remote code execution. It's not clear to me from this
> bulletin whether the exploit could only be used if the IIS server hosts a web
> site that allows the user to upload files that IIS will execute, or whether
> this can be done through web forms. For example, would an OWA server be
> affected? Users can submit data through web forms, and they can upload files
> as attachments, but not for processing as a script.
>
> This bulletin on the one hand describes a vulnerability that, if I
> understand correctly, would be exposed only in very rare case, but the tone
> of the bulletin makes it sound like every IIS server is vulnerable and needs
> to be patched.
|
|
Posted by Roger Abell [MVP] on July 13, 2006, 12:27 am
Please log in for more thread options I understood that issue to be exclusively limited to uploaded web content
that is then served with processing by the ASP isapi that in turn is caused
to throw the error allowing the code to escape from normal constraints
placed on the ASP isapi by IIS.
In that case, casual use of a site, such as OWA, that may use ASP but
that does not allow alteration of the ASP code would not be impacted.
However, patching is still advised as authoring might in the future become
possible, but that patching is perhaps not needed so urgently.
> Microsoft released security bulletin MS06-034, saying that there is a flaw
> in
> ASP that could allow remote code execution. It's not clear to me from
> this
> bulletin whether the exploit could only be used if the IIS server hosts a
> web
> site that allows the user to upload files that IIS will execute, or
> whether
> this can be done through web forms. For example, would an OWA server be
> affected? Users can submit data through web forms, and they can upload
> files
> as attachments, but not for processing as a script.
>
> This bulletin on the one hand describes a vulnerability that, if I
> understand correctly, would be exposed only in very rare case, but the
> tone
> of the bulletin makes it sound like every IIS server is vulnerable and
> needs
> to be patched.
|
| Similar Threads | Posted | | ISAPI Filter Vulnerability | November 7, 2006, 11:15 pm |
| Is NT4 affected by the new MS05-039 Plug-n-Play Vulnerability? | August 15, 2005, 9:33 am |
| Windows Media Player vulnerability in Win2K3 Server with SP2 | October 25, 2007, 2:06 pm |
| MS08-002 Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485) | February 1, 2008, 1:22 pm |
| Remote Desktop Protocol Server Private Key Disclosure Vulnerability | March 30, 2008, 9:34 am |
|
XML Sitemap