Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Directory Traversal Vulnerability

Posted on 2014-03-28
9
Medium Priority
?
2,665 Views
Last Modified: 2014-04-16
From Trustwave we are getting 2 different Directory Traversal Vulnerability errors on IIS 6.0 and 7.5.  Here is the information they gave.  Any help would be appreciated.  We installed URLSCAN 3.1 on the 6.0 server and setup ".." filters on IIS 7.5 and still fail.

URL:             https://XX.X.XXX.XX/owa/auth/logon.aspx

Parameter: N/A

Request:      POST /owa/auth/logon.aspx HTTP/1.1
                     Accept: */*
                     User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
                     Host: 71.8.224.86
                     Content-Type: application/x-www-form-urlencoded
                     Content-Length: 87

Response:    HTTP/1.1 200 OK
                      Cache-Control: no-cache, no-store
                      Pragma: no-cache
                      Content-Type: text/html; charset=utf-8
                      Expires: -1
                      Server: Microsoft-IIS/7.5
                      Set-Cookie: OutlookSession=28ed48edd77c46e08eac2cbb49809438; path=/; HttpOnly

Evidence:      Microsoft Corp.

------------------------------------------------------------------------------------------------------------------------------

URL:               http://XX.X.XXX.XX/app/ScriptResource.axd

Parameter:    t

Request:        GET /app/ScriptResource.axd?d=ieoaXiKOrQ2uUTpdNERLtkYZbtThj1dBLbfRwD85axdNv4rbxjgZW0tUtnqnVfytGYIgm7O4l61E2yFShELUGUoSLzsN-1UcYXbugkhjLNMnoOncwiyh-YyZ5w6L8RbkQcHzKECCGOvalujI4E1teR6AkOzBWpk9JJlllU25GlqFdiQYHfr2yC6178yqeD8W0&t=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWINDOWS\system32\drivers\etc\hosts%00 HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Host: XX.X.XXX.XX

Response: HTTP/1.1 200 OK
                   Date: Fri, 28 Mar 2014 00:23:20 GMT
                   Server: Microsoft-IIS/6.0
                   MicrosoftOfficeWebServer: 5.0_Pub
                   X-Powered-By: ASP.NET
                   X-AspNet-Version: 4.0.30319
                  Cache-Control: public

Evidence:  Microsoft Corp
0
Comment
Question by:pcservne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39963409
You probably have parent paths turned on.   This was left on in iis6 and turned off in iis7 by default and would have had to have been turned on manually.  

If you have code that starts with ../ and it works, that means parent paths are on and you are open to this attack.  https://www.acunetix.com/websitesecurity/directory-traversal/

Make sure this is set to false http://www.iis.net/learn/application-frameworks/running-classic-asp-applications-on-iis-7-and-iis-8/classic-asp-parent-paths-are-disabled-by-default

This means you may need to rewrite some code where you see images or include files starting with ../
0
 

Author Comment

by:pcservne
ID: 39964063
We have already verified parent paths are disables.
0
 

Expert Comment

by:rkane17
ID: 39979193
I too have the same situation with Trustwave and the Directory Traversal Vulnerability.  Ours is like your second issue - GET /app/ScriptResource.axd.  We are running SBS 2011 which has IIS 7.  All updates and patches have been applied as far as I can tell.  SharePoint has latest service packs also.  I also checked the above suggestion for the parent paths, but all were set to false.  As for re-writing code, I can't see how this would be accomplished as it is all Microsoft - SBS server has the remote web interface.  I can't seem to find any answers anywhere and Trustwave support hasn't been any help.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39979386
I am not a security expert and I don't use OWA but I am constantly having to make adjustments to my other software based on PCI scans.  I found this article, a bit old, but it seems on point.  

From https://social.technet.microsoft.com/wiki/contents/articles/853.adjustments-for-pci-dss-scan.aspx

Find the logon.asp file on the server and hardcode the url for OWA so that it won't respond to user input.  The file in question is located at C:\Program Files\Exchsrvr\exchweb\bin\auth\<language>\logon.asp (or wherever your Exchange has been installed) which uses user inputs without verification. There are two lines in code that should be edited:

Then find the 2 lines below and comment out
RedirectPath = Request.Querystring(URL)
RedirectPath = Server.HtmlEncose(RedirectPath)

I have ControlScan and when I run into issues they find that I know are not a problem, I have been successful by manually justifying a false positive in detail.  So far it has worked.
0
 

Author Comment

by:pcservne
ID: 39980391
Good idea, but it doesn't seem to apply to logon.aspx on Exchange 2010.  Those code lines don't exist in that file.
0
 

Expert Comment

by:rkane17
ID: 39980433
Trustwave still failing us for XSS vulnerability and directory traversal issues.  I applied the registry settings and installed and applied the IISCrypto utility.  I have read elsewhere on here that these may be false positive, so I have disputed these findings with Trustwave and am waiting to here back.
0
 

Expert Comment

by:rkane17
ID: 39995179
Here is a note that shows how to block the Directory Traversal - see section under heading 'How to deny a URL sequence"

http://www.iis.net/configreference/system.webserver/security/requestfiltering

I am rerunning the Trustwave scan now to see if it solved it.
0
 

Accepted Solution

by:
pcservne earned 0 total points
ID: 39995266
We never cleared the failure on OWA Outlook 2010 running on Server 2008 R2.  We setup URL & query filtering and that solved 5 of our 6 Directory Traversal errors.  We disputed the OWA failure giving the Server version & detailed version of IIS and stating we implemented URL & query filtering and they approved the dispute, so we're clean again FINALLY!!!
0
 

Author Closing Comment

by:pcservne
ID: 40003494
Thanks for the ideas, but it took a dispute to finally clean it all up.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question