[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 887
  • Last Modified:

Why am I getting directory authentication bypass in ssrs using IIS 7.5

I have a web server that is hosted on windows 2008R2, IIS 7.5, and SSRS on SQL 2008.  When I run a security scan I get a report that I have a vunerability because I am am running Microsoft IIS 5.1 and can have a directory authentication bypass vulnerability.

The fix is to use IIS 6 and above. I am running IIS 7.5 so how am I getting this vulnerability and how do i fix it?
0
jimmylew52
Asked:
jimmylew52
  • 10
  • 7
1 Solution
 
becraigCommented:
Here is a link to the relevant KBS to resolve this:
https://technet.microsoft.com/en-us/library/security/ms10-065.aspx

Though it says IIS 5.1 is it applicable for 7.5 as well
0
 
jimmylew52Author Commented:
The last thing to be done is "Click OK and then click No to disallow the ISAPI extension.".

When I click "NO" ASPClassic is still Enabled.

How do I disable it?
0
 
becraigCommented:
If you are not using ASP classic and want to disable it, simply:
open server manager

Then scroll down to the Web Server role
Remove web services
Uncheck ASP - ISAPI Extensions
Complete the wizard.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
jimmylew52Author Commented:
Also It says  it is not applicable to IIS 7.5
0
 
becraigCommented:
Here is the KB for 7.5:
Windows Server 2008 R2 for x64-based Systems      Internet Information Services 7.5*
(KB2124261)      Denial of Service      Important      None
Windows Server 2008 R2 for Itanium-based Systems      Internet Information Services 7.5
(KB2124261)      Denial of Service      Important      None

Please give http://support.microsoft.com/kb/2124261 a complete read to find the applicable fix for your system - OS / IIS version.
0
 
jimmylew52Author Commented:
ASP is allowed on our 2003 servers so I think we are using ASP. I has been 5 years since this app was deployed and it has only been deployed on 2003 server 32 bit.
0
 
becraigCommented:
Ok so you do not want to disable ASP.

If you give the page on the KB a thorough read, you should find how to patch this vulnerability.

This should be the link you need:
http://www.microsoft.com/en-us/download/details.aspx?id=13098

However you need to verify the OS version and ISS version to get the correct one.
The link I gave above is for 64bit IIS7.5 server 2008R2
0
 
jimmylew52Author Commented:
The file says it does not apply to my system.

I an running 64 bit server 2008R2 & IIS version 7.5.7600.16385
0
 
jimmylew52Author Commented:
Server 2008 R2 SP 1 if that makes a difference.
0
 
becraigCommented:
Go through the list of relevant KBs per your OS/IIS config:
https://technet.microsoft.com/library/security/ms10-065
0
 
jimmylew52Author Commented:
These patches were included in SP1 on 2008 R2 so they do not apply.
This vulnerability should not be present according to Microsoft.
0
 
becraigCommented:
What specific scan is indicating this vulnerability ?
0
 
jimmylew52Author Commented:
Acunetix Online Vulnerability Scanner  -- using their web app scanner.
0
 
jimmylew52Author Commented:
Description from the report:
An elevation of privilege vulnerability exists in IIS version 5.1. By adding :$i30:$INDEX_ALLOCATION to the directory name it's possible to bypass the directory authentication. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.

Recommendation Upgrade to IIS 6 or IIS 7. These versions are not affected by this vulnerability. In these versions, IIS does not accept colon (:) character in the URL.

GET /ReportServer:$I30:$Index_Allocation/ HTTP/1.1 Cookie: ASP.NET_SessionId=cack4ccackvrawl4zvmrhney Host: 2008R2eTariff.etariffdev.biz Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */*
0
 
becraigCommented:
Here is the link for the fast cgi fix:
http://www.microsoft.com/en-us/download/details.aspx?id=15144

Let me know if that also reports as not being applicable, if so you may have to engage MS Support.
0
 
jimmylew52Author Commented:
Thanks for all your input. This has also been rolled up in service pack 1.

I did find a solution. We do not use CGI so i uninstalled it. I think it was selected by default but I am not sure. I also used "Deny sequence" for .PHP for the default website and between the two the problem has gone away.

Thanks again, you kept me from giving up.
0
 
jimmylew52Author Commented:
Your suggestions would have been valid if I had not already installed SP1
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 10
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now