Solved

Directory Traversal Vulnerability

Posted on 2014-03-28
9
2,268 Views
Last Modified: 2014-04-16
From Trustwave we are getting 2 different Directory Traversal Vulnerability errors on IIS 6.0 and 7.5.  Here is the information they gave.  Any help would be appreciated.  We installed URLSCAN 3.1 on the 6.0 server and setup ".." filters on IIS 7.5 and still fail.

URL:             https://XX.X.XXX.XX/owa/auth/logon.aspx

Parameter: N/A

Request:      POST /owa/auth/logon.aspx HTTP/1.1
                     Accept: */*
                     User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
                     Host: 71.8.224.86
                     Content-Type: application/x-www-form-urlencoded
                     Content-Length: 87

Response:    HTTP/1.1 200 OK
                      Cache-Control: no-cache, no-store
                      Pragma: no-cache
                      Content-Type: text/html; charset=utf-8
                      Expires: -1
                      Server: Microsoft-IIS/7.5
                      Set-Cookie: OutlookSession=28ed48edd77c46e08eac2cbb49809438; path=/; HttpOnly

Evidence:      Microsoft Corp.

------------------------------------------------------------------------------------------------------------------------------

URL:               http://XX.X.XXX.XX/app/ScriptResource.axd

Parameter:    t

Request:        GET /app/ScriptResource.axd?d=ieoaXiKOrQ2uUTpdNERLtkYZbtThj1dBLbfRwD85axdNv4rbxjgZW0tUtnqnVfytGYIgm7O4l61E2yFShELUGUoSLzsN-1UcYXbugkhjLNMnoOncwiyh-YyZ5w6L8RbkQcHzKECCGOvalujI4E1teR6AkOzBWpk9JJlllU25GlqFdiQYHfr2yC6178yqeD8W0&t=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWINDOWS\system32\drivers\etc\hosts%00 HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Host: XX.X.XXX.XX

Response: HTTP/1.1 200 OK
                   Date: Fri, 28 Mar 2014 00:23:20 GMT
                   Server: Microsoft-IIS/6.0
                   MicrosoftOfficeWebServer: 5.0_Pub
                   X-Powered-By: ASP.NET
                   X-AspNet-Version: 4.0.30319
                  Cache-Control: public

Evidence:  Microsoft Corp
0
Comment
Question by:pcservne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39963409
You probably have parent paths turned on.   This was left on in iis6 and turned off in iis7 by default and would have had to have been turned on manually.  

If you have code that starts with ../ and it works, that means parent paths are on and you are open to this attack.  https://www.acunetix.com/websitesecurity/directory-traversal/

Make sure this is set to false http://www.iis.net/learn/application-frameworks/running-classic-asp-applications-on-iis-7-and-iis-8/classic-asp-parent-paths-are-disabled-by-default

This means you may need to rewrite some code where you see images or include files starting with ../
0
 

Author Comment

by:pcservne
ID: 39964063
We have already verified parent paths are disables.
0
 

Expert Comment

by:rkane17
ID: 39979193
I too have the same situation with Trustwave and the Directory Traversal Vulnerability.  Ours is like your second issue - GET /app/ScriptResource.axd.  We are running SBS 2011 which has IIS 7.  All updates and patches have been applied as far as I can tell.  SharePoint has latest service packs also.  I also checked the above suggestion for the parent paths, but all were set to false.  As for re-writing code, I can't see how this would be accomplished as it is all Microsoft - SBS server has the remote web interface.  I can't seem to find any answers anywhere and Trustwave support hasn't been any help.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39979386
I am not a security expert and I don't use OWA but I am constantly having to make adjustments to my other software based on PCI scans.  I found this article, a bit old, but it seems on point.  

From https://social.technet.microsoft.com/wiki/contents/articles/853.adjustments-for-pci-dss-scan.aspx

Find the logon.asp file on the server and hardcode the url for OWA so that it won't respond to user input.  The file in question is located at C:\Program Files\Exchsrvr\exchweb\bin\auth\<language>\logon.asp (or wherever your Exchange has been installed) which uses user inputs without verification. There are two lines in code that should be edited:

Then find the 2 lines below and comment out
RedirectPath = Request.Querystring(URL)
RedirectPath = Server.HtmlEncose(RedirectPath)

I have ControlScan and when I run into issues they find that I know are not a problem, I have been successful by manually justifying a false positive in detail.  So far it has worked.
0
 

Author Comment

by:pcservne
ID: 39980391
Good idea, but it doesn't seem to apply to logon.aspx on Exchange 2010.  Those code lines don't exist in that file.
0
 

Expert Comment

by:rkane17
ID: 39980433
Trustwave still failing us for XSS vulnerability and directory traversal issues.  I applied the registry settings and installed and applied the IISCrypto utility.  I have read elsewhere on here that these may be false positive, so I have disputed these findings with Trustwave and am waiting to here back.
0
 

Expert Comment

by:rkane17
ID: 39995179
Here is a note that shows how to block the Directory Traversal - see section under heading 'How to deny a URL sequence"

http://www.iis.net/configreference/system.webserver/security/requestfiltering

I am rerunning the Trustwave scan now to see if it solved it.
0
 

Accepted Solution

by:
pcservne earned 0 total points
ID: 39995266
We never cleared the failure on OWA Outlook 2010 running on Server 2008 R2.  We setup URL & query filtering and that solved 5 of our 6 Directory Traversal errors.  We disputed the OWA failure giving the Server version & detailed version of IIS and stating we implemented URL & query filtering and they approved the dispute, so we're clean again FINALLY!!!
0
 

Author Closing Comment

by:pcservne
ID: 40003494
Thanks for the ideas, but it took a dispute to finally clean it all up.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is there any way to limit concurrent connection in IIS7? 6 62
PHP 5.6 and 7.x 4 52
Customising IE behaviour on certain pages 2 101
SBS 2008 active sync issue 2 53
Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question