Solved

Directory Traversal Vulnerability

Posted on 2014-03-28
9
1,958 Views
Last Modified: 2014-04-16
From Trustwave we are getting 2 different Directory Traversal Vulnerability errors on IIS 6.0 and 7.5.  Here is the information they gave.  Any help would be appreciated.  We installed URLSCAN 3.1 on the 6.0 server and setup ".." filters on IIS 7.5 and still fail.

URL:             https://XX.X.XXX.XX/owa/auth/logon.aspx

Parameter: N/A

Request:      POST /owa/auth/logon.aspx HTTP/1.1
                     Accept: */*
                     User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
                     Host: 71.8.224.86
                     Content-Type: application/x-www-form-urlencoded
                     Content-Length: 87

Response:    HTTP/1.1 200 OK
                      Cache-Control: no-cache, no-store
                      Pragma: no-cache
                      Content-Type: text/html; charset=utf-8
                      Expires: -1
                      Server: Microsoft-IIS/7.5
                      Set-Cookie: OutlookSession=28ed48edd77c46e08eac2cbb49809438; path=/; HttpOnly

Evidence:      Microsoft Corp.

------------------------------------------------------------------------------------------------------------------------------

URL:               http://XX.X.XXX.XX/app/ScriptResource.axd

Parameter:    t

Request:        GET /app/ScriptResource.axd?d=ieoaXiKOrQ2uUTpdNERLtkYZbtThj1dBLbfRwD85axdNv4rbxjgZW0tUtnqnVfytGYIgm7O4l61E2yFShELUGUoSLzsN-1UcYXbugkhjLNMnoOncwiyh-YyZ5w6L8RbkQcHzKECCGOvalujI4E1teR6AkOzBWpk9JJlllU25GlqFdiQYHfr2yC6178yqeD8W0&t=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWINDOWS\system32\drivers\etc\hosts%00 HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Host: XX.X.XXX.XX

Response: HTTP/1.1 200 OK
                   Date: Fri, 28 Mar 2014 00:23:20 GMT
                   Server: Microsoft-IIS/6.0
                   MicrosoftOfficeWebServer: 5.0_Pub
                   X-Powered-By: ASP.NET
                   X-AspNet-Version: 4.0.30319
                  Cache-Control: public

Evidence:  Microsoft Corp
0
Comment
Question by:pcservne
  • 4
  • 3
  • 2
9 Comments
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 39963409
You probably have parent paths turned on.   This was left on in iis6 and turned off in iis7 by default and would have had to have been turned on manually.  

If you have code that starts with ../ and it works, that means parent paths are on and you are open to this attack.  https://www.acunetix.com/websitesecurity/directory-traversal/

Make sure this is set to false http://www.iis.net/learn/application-frameworks/running-classic-asp-applications-on-iis-7-and-iis-8/classic-asp-parent-paths-are-disabled-by-default

This means you may need to rewrite some code where you see images or include files starting with ../
0
 

Author Comment

by:pcservne
ID: 39964063
We have already verified parent paths are disables.
0
 

Expert Comment

by:rkane17
ID: 39979193
I too have the same situation with Trustwave and the Directory Traversal Vulnerability.  Ours is like your second issue - GET /app/ScriptResource.axd.  We are running SBS 2011 which has IIS 7.  All updates and patches have been applied as far as I can tell.  SharePoint has latest service packs also.  I also checked the above suggestion for the parent paths, but all were set to false.  As for re-writing code, I can't see how this would be accomplished as it is all Microsoft - SBS server has the remote web interface.  I can't seem to find any answers anywhere and Trustwave support hasn't been any help.
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 39979386
I am not a security expert and I don't use OWA but I am constantly having to make adjustments to my other software based on PCI scans.  I found this article, a bit old, but it seems on point.  

From https://social.technet.microsoft.com/wiki/contents/articles/853.adjustments-for-pci-dss-scan.aspx

Find the logon.asp file on the server and hardcode the url for OWA so that it won't respond to user input.  The file in question is located at C:\Program Files\Exchsrvr\exchweb\bin\auth\<language>\logon.asp (or wherever your Exchange has been installed) which uses user inputs without verification. There are two lines in code that should be edited:

Then find the 2 lines below and comment out
RedirectPath = Request.Querystring(URL)
RedirectPath = Server.HtmlEncose(RedirectPath)

I have ControlScan and when I run into issues they find that I know are not a problem, I have been successful by manually justifying a false positive in detail.  So far it has worked.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:pcservne
ID: 39980391
Good idea, but it doesn't seem to apply to logon.aspx on Exchange 2010.  Those code lines don't exist in that file.
0
 

Expert Comment

by:rkane17
ID: 39980433
Trustwave still failing us for XSS vulnerability and directory traversal issues.  I applied the registry settings and installed and applied the IISCrypto utility.  I have read elsewhere on here that these may be false positive, so I have disputed these findings with Trustwave and am waiting to here back.
0
 

Expert Comment

by:rkane17
ID: 39995179
Here is a note that shows how to block the Directory Traversal - see section under heading 'How to deny a URL sequence"

http://www.iis.net/configreference/system.webserver/security/requestfiltering

I am rerunning the Trustwave scan now to see if it solved it.
0
 

Accepted Solution

by:
pcservne earned 0 total points
ID: 39995266
We never cleared the failure on OWA Outlook 2010 running on Server 2008 R2.  We setup URL & query filtering and that solved 5 of our 6 Directory Traversal errors.  We disputed the OWA failure giving the Server version & detailed version of IIS and stating we implemented URL & query filtering and they approved the dispute, so we're clean again FINALLY!!!
0
 

Author Closing Comment

by:pcservne
ID: 40003494
Thanks for the ideas, but it took a dispute to finally clean it all up.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Suggested Solutions

First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now