Directory Traversal Vulnerability

From Trustwave we are getting 2 different Directory Traversal Vulnerability errors on IIS 6.0 and 7.5.  Here is the information they gave.  Any help would be appreciated.  We installed URLSCAN 3.1 on the 6.0 server and setup ".." filters on IIS 7.5 and still fail.

URL:             https://XX.X.XXX.XX/owa/auth/logon.aspx

Parameter: N/A

Request:      POST /owa/auth/logon.aspx HTTP/1.1
                     Accept: */*
                     User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
                     Host: 71.8.224.86
                     Content-Type: application/x-www-form-urlencoded
                     Content-Length: 87

Response:    HTTP/1.1 200 OK
                      Cache-Control: no-cache, no-store
                      Pragma: no-cache
                      Content-Type: text/html; charset=utf-8
                      Expires: -1
                      Server: Microsoft-IIS/7.5
                      Set-Cookie: OutlookSession=28ed48edd77c46e08eac2cbb49809438; path=/; HttpOnly

Evidence:      Microsoft Corp.

------------------------------------------------------------------------------------------------------------------------------

URL:               http://XX.X.XXX.XX/app/ScriptResource.axd

Parameter:    t

Request:        GET /app/ScriptResource.axd?d=ieoaXiKOrQ2uUTpdNERLtkYZbtThj1dBLbfRwD85axdNv4rbxjgZW0tUtnqnVfytGYIgm7O4l61E2yFShELUGUoSLzsN-1UcYXbugkhjLNMnoOncwiyh-YyZ5w6L8RbkQcHzKECCGOvalujI4E1teR6AkOzBWpk9JJlllU25GlqFdiQYHfr2yC6178yqeD8W0&t=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWINDOWS\system32\drivers\etc\hosts%00 HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Host: XX.X.XXX.XX

Response: HTTP/1.1 200 OK
                   Date: Fri, 28 Mar 2014 00:23:20 GMT
                   Server: Microsoft-IIS/6.0
                   MicrosoftOfficeWebServer: 5.0_Pub
                   X-Powered-By: ASP.NET
                   X-AspNet-Version: 4.0.30319
                  Cache-Control: public

Evidence:  Microsoft Corp
pcservneAsked:
Who is Participating?
 
pcservneConnect With a Mentor Author Commented:
We never cleared the failure on OWA Outlook 2010 running on Server 2008 R2.  We setup URL & query filtering and that solved 5 of our 6 Directory Traversal errors.  We disputed the OWA failure giving the Server version & detailed version of IIS and stating we implemented URL & query filtering and they approved the dispute, so we're clean again FINALLY!!!
0
 
Scott Fell, EE MVEDeveloperCommented:
You probably have parent paths turned on.   This was left on in iis6 and turned off in iis7 by default and would have had to have been turned on manually.  

If you have code that starts with ../ and it works, that means parent paths are on and you are open to this attack.  https://www.acunetix.com/websitesecurity/directory-traversal/

Make sure this is set to false http://www.iis.net/learn/application-frameworks/running-classic-asp-applications-on-iis-7-and-iis-8/classic-asp-parent-paths-are-disabled-by-default

This means you may need to rewrite some code where you see images or include files starting with ../
0
 
pcservneAuthor Commented:
We have already verified parent paths are disables.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
rkane17Commented:
I too have the same situation with Trustwave and the Directory Traversal Vulnerability.  Ours is like your second issue - GET /app/ScriptResource.axd.  We are running SBS 2011 which has IIS 7.  All updates and patches have been applied as far as I can tell.  SharePoint has latest service packs also.  I also checked the above suggestion for the parent paths, but all were set to false.  As for re-writing code, I can't see how this would be accomplished as it is all Microsoft - SBS server has the remote web interface.  I can't seem to find any answers anywhere and Trustwave support hasn't been any help.
0
 
Scott Fell, EE MVEDeveloperCommented:
I am not a security expert and I don't use OWA but I am constantly having to make adjustments to my other software based on PCI scans.  I found this article, a bit old, but it seems on point.  

From https://social.technet.microsoft.com/wiki/contents/articles/853.adjustments-for-pci-dss-scan.aspx

Find the logon.asp file on the server and hardcode the url for OWA so that it won't respond to user input.  The file in question is located at C:\Program Files\Exchsrvr\exchweb\bin\auth\<language>\logon.asp (or wherever your Exchange has been installed) which uses user inputs without verification. There are two lines in code that should be edited:

Then find the 2 lines below and comment out
RedirectPath = Request.Querystring(URL)
RedirectPath = Server.HtmlEncose(RedirectPath)

I have ControlScan and when I run into issues they find that I know are not a problem, I have been successful by manually justifying a false positive in detail.  So far it has worked.
0
 
pcservneAuthor Commented:
Good idea, but it doesn't seem to apply to logon.aspx on Exchange 2010.  Those code lines don't exist in that file.
0
 
rkane17Commented:
Trustwave still failing us for XSS vulnerability and directory traversal issues.  I applied the registry settings and installed and applied the IISCrypto utility.  I have read elsewhere on here that these may be false positive, so I have disputed these findings with Trustwave and am waiting to here back.
0
 
rkane17Commented:
Here is a note that shows how to block the Directory Traversal - see section under heading 'How to deny a URL sequence"

http://www.iis.net/configreference/system.webserver/security/requestfiltering

I am rerunning the Trustwave scan now to see if it solved it.
0
 
pcservneAuthor Commented:
Thanks for the ideas, but it took a dispute to finally clean it all up.
0
All Courses

From novice to tech pro — start learning today.