Buy
Schedule a Demo
Blog
Community Stats
1 day 7 days 30 days Max. View More
Top Posters
  1. HC Team
    (1 Recent Post)
Most Active Threads
  1. Hosting Controller Panel v10 build 10.36 is now available
    (1 Reply)
Top Rated Posts
    There is no record available at this moment
2004/11/08 03:44:00
pverzoni

Anonymous user vulnerability

Hey all?

What are your thoughts with HC and HF1.4 now giving the anonymous account write access on www folder.

I understand that it is required for some asp apps to run but giving write access to the entire www folder seems overkill to me, no?

Peter
22 comments Leave a comment
HC Team
Anonymous user is given WRITE permission within its WWW/DB folder only and I don¬t see any security risk involved with that. :)

Aziz?
2004/09/11 02:23:45
pverzoni
Thanks Aziz,

I am just thinking ahead here in and if there is a risk involved.

The thought of the iusr account having write permissions on the root of the site kind of scares me, I will do more research though - if anyone has any thoughts let me know.

Peter
2004/09/11 12:08:02
crnunez
Hi,
I don¬t understand. I think that functionality is it is completely unnecessary and very dangerous. Never an anonymous user can be taken Write on WWW!

http://hostingcontroller.com/english/logs/hotfixlogv61_1_4.html
said:

Improvements

The ACL manager now allows adding/editing of web anonymous user account.
The anonymous user is now automatically given READ/WRITE permission over WWW & DB folder. This ensures proper functioning of database driven websites.

If any user have a execute over WWW!! Hacking Attack is 100 % possible!!!
I think that if an user by means of ACL can add permits execute it has more than enough www, any user (WEBADMIN) it can destroy a server.

Some convincing answer?

Best regards,
2004/09/11 12:56:07
pverzoni
Aziz,

I am not a developer so I dont know but I consulted with our in-house developers, all said it was a bad idea. I did some research on the web and the consensus is that it is a bad idea.

Well I was concerned about this so I took it up and called Microsoft support (yes $245 incident) and I think you want to change this feature.

From MS IIS support this is a BIG no. They gave a really scary scenarios where hackers could take advantage of this. Their recommendation is to allow the IUSR account to write only where needed and on a per needed basis, not the entire web directory.

Anyone have any ideas in regards? I think this is a bad idea for security, no?

Peter
2004/09/11 13:23:40
crnunez
Hi,
Please remove this serious possible big bug!

Microsoft never recommended the attribute WRITE for the WWW sites!
http://support.microsoft.com/kb/187506/en-us

Also any WEBAMIN can be destroying the server with this feature.

Thanks!
2004/09/11 15:16:08
impactgc
So what is the verdict HC? Will you be updating the service pack?
2004/09/11 17:12:05
HC Team
Thanks for the input, everyone.

Before you verdict this as a vulnerability you need to understand the security structure we implement on the website. Each website is given a unique anonymous user (domain.com_web). This user is not same as IUSR_MACHINE as this has only rights on its designated folders. This policy makes it possible that when EVERYONE is removed nobody can access others data on shared server.

Having this said, when we give WRITE permission to Domain.com_Web user, it means that we are allowing the site owner to write such scripts that may create files in his WWW folder ONLY and read/write database IF it is also uplodated in the WWW folder (many novice developers do this). It is important to understand this Domain.com_Web is a unique user whom we give WRITE right only on designated WWW/DB folder and technically speaking there is no way he could access other places or destroy the server.

I understand that Microsoft support may have suggested not to give write permission but did you tell them the exact scenario and did you ask them how database is manpulated if we remove anonymous write access?

In short, I assure you, to the best of my knowledge and experience, that WRITE permission is not a security threat for server rather it eases additional support burden from your shoulder.

Thanks for listening to us.
2004/09/11 23:48:49
pverzoni
So Aziz,

can you guarantee that a hacker cannot take advantage of this relaxed permission?

Also why does Microsoft consider it best practice to restrict write access to the IUSR account (see http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_checklist.mspx)

Are you saying Microsoft is wrong?

2004/10/11 08:18:31
Dean
On one of my systems HC has been giving anonymous user write permissions on www folder for as long as I can remember (which is at least a few months - heheh)

My 2 cents:

I would tend to agree that anon user should not have write permission on www folder by default (but it is good that ACL manager allows for configuring anon user instead of Everyone). True, MS comments on the subject does refer to the default installation of IIS, however, it is also true that according to MS Best Practices one should always apply the Principle of Least Privelege when setting ntfs permissions. Thus anon user should have write permission on www folder only when all files in that folder requires it - a rare example; moreover, it should not be inherited by subfolders. If a single file among many files in www requires write then only the file should receive it.
2004/10/11 10:42:14
crnunez
Hello again,
I never install this Hot Fix (1.4) while appear this terrible BUG in the permissions of the WRITE.
Facts:

1º) Anonymous User, in recommendation of Microsoft and all the forums of security on the web, never recommended the write permission for these users.

2º) In the structure of HC the folders are:

DB, LOG, Special and WWW; I always recommend for my clients install the Database in DB folder and never in other folder.

3º) In the last month one of the farm servers was completely hacked and destroyed all the information for bad permissions (write) in the FrontPage 2002. Was an anonymous giving him permissions and climbing.

Regards
2004/10/11 11:24:48
pverzoni
That is my point exactly, webmins should decide which folders need to allow write permissions but allowing the entire www directory anon write seems to be a disaster waiting to happen.

I can just see this months down the road where a worm comes out and sites with certain conditions (amongs which anon write) are affected. Then we will all be scrambling to fix.

Any comments anyone?
2004/10/11 13:45:38
HC Team
crnunez, you are mixing WRITE permissions on website with WRITE permissions of domain.com_web user. WRITE permissions on website is indeed dangerous and if it is ON anyone can login to your website with FrontPage. For understanding of what WRITE permission on website is, please refer to http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_acc_settwebperm.mspx.

I am not denying Micsrosoft best practices. I am just trying to explain that the anonymous user of your website is a unique user that has access on your websites ONLY. I still couldn¬t think how one can compromise server just because of write permission on WWW folder. Can you show an example on our demo server which is open to you? or this is just fear of unknown? We will not remove this unless we are convinced with example.
2004/11/11 02:09:58
The Bitland Prince
Hello

I was mixed when reading release notes about this feature too. However, I tend to agree with HC this has (or should have) limited scope.

As they wrote, specific website anon user will get write access to website folders. If server ACL is properly configured, this would mean that only that specific website folders are under moderate risk, not the server itself or other websites.

Risk is someone might exploit a bug in code to gain write access to that website folers and only to them. I guess HC was trying to provide a more "relaxed" setup in order to provide advantages to all those users who deploy pre-made websites / CMS which usually might require write access to some or all folders. However, a risk that bugs could be exploited to gain write access to website folders actually exists. Of course, IUSR_server account is not involved as anonymous user for a specific website is not IUSR_server account.

However, if ACL for your server are not properly configured, that server is under threat of being hacked even if anonymous user for a website only has read privileges for those folders. If that user can get outside a fair scope (for example, it could be able to read c:\) that¬s not properly configured!

My take: ACL management is maybe hardest part to learn. Instead of relaxed ACL settings, HC might provide wizards for novice users to guide them in a simple way. For example, instead of allowing them to change ACL settings, a wizard could ask:

--- ACL WIZARD ---
Do you want to enable write access for:

[ ] entire website
[ ] a database folder
[ ] only a specific folder

Option:

[ ] also set same access to child objects

----- ACL WIZARD -----

Of course, expert users should be able to set manually ACLs but this could help novice users to balance between security and flexibility.

Regards.
2004/11/11 04:54:47
crnunez
Hello,
We are very concerned for the security of the server. I am not a hacker, but a kacker has the knowledge to make magic like we all know to destroy with minimum tools. Microsoft Corporation (xxxx Engineers) It has many bug of security every time. For this reason anything is not convenient to open never anything for a hacker, we cannot let them to have the most minimum attack opportunity.
The hacking attacks in the first step attempts escalate the permissions, with write is possible install any dangerous code and the next step is obtain Execute permission for complete the process...

But I and all the clients will be much calmer if Hosting Controller guarantees 100% that won¬t pass anything.

(I think that I am not paranoiac for the security, but in the last attack hacking, I had to pay a rebuild of the server, to big amount ($$$), +30 hours down, 16 customer loss, and much losses...)

Best Regards,
2004/11/11 07:34:18
Dean
In other words, what you are saying is: its ok if a website is open to hacking since only that site will be destroyed? These are customers, not just html files!

Moreoever, server could be compromised by hacker using resources assigned to webadmin for things like proxy, providing a launching site for hacking other servers, warez, etc.
2004/11/11 07:41:46
Vogon
First, I¬m MS Certified System Engineer (MCSE+I) and I¬m CTO in my company. So, I know something about Windows server OS and security...

I think this feature is very big security hole, but not for server (OS) because web anonymus user haven¬t critical system rights. This is big security hole for websites (for costumers).

I have a scenario where everybody can upload files on web. This files may have malicius code or just HTML or .exe (for .exe files hole is policy settings where is "allowed access to global objects"). Somebody may need a little extra bandwith, maybe (scenario with uploaded .mp3 files or porno pictures).
Of course, this scenario is OK only if this website anonymus user (domain.com_web) have write permissions on any web folder (/WWW).

I will not install this hotfix and any cumulative hotfix with this feature in the future. I don¬t want to manage NTFS permissions for every new costumer "by hands", so please, remove this feature...
2004/11/11 14:52:44
impactgc
Is this feature worth having HC¬s customers concerned about security.. If not I would change the permissions back.

2004/11/11 15:15:21
pverzoni
I am still not convinced that this is safe.

HC, why dont you make a variable that reseller can choose at setup that allows site anon write?

PV
2004/11/11 15:58:07
HC Team
Evreryone is talking about security, hacking, exploits, and such stuff but I still don¬t understand where the risk lies. We know the theory, let¬s be practicle. Would anyone gives us a practicle demonstration of "Write Pemrission Exploit" on our demo server?
2004/12/11 02:07:10
Dean
I don¬t know how to hack, but maybe if you give me the site name and enable Write permission in webadmin¬s panel Site properties I will give it a try.
2004/12/11 15:02:31
HC Team
Sorry for late follow-up on this thread. I don¬t understand why I shall enable WRITE permission on website? This is security problem, we know, and we never said HC does this. All you should ask is "I don¬t know how to hack, but maybe if you give me the site name and enable anonymous WRITE permission on the WWW folder of a domain I will give it a try" ..
2004/11/17 03:19:39
Dean
The www folder already have ntfs write permissions. I am asking you, as site webadmin, to go into demo site properties in HC and enable web Write permission - there is a check box that allows webadmin to do this. Don¬t you think the combination of HC giving NTFS Write and the webadmin enabling IIS write permission is a security problem?
2004/11/17 14:13:02

Comments are closed.