MPSB03-02 - Using Windows NT Authentication and Windows file permissions

Hello Weekenders, I'm sure most of you got the MM Security bulletin the other day (http://www.macromedia.com/security). I am trying to figure out what the security breach is if the steps outlines in the Security Bulletin are not taken. It doesn't describe what level of access an attacker could gain through this exploit. And since we use the SES Url's (mysite.com/index.cfm/myvar/myvarvalue/), I can not easily implement this security fix because checking the "check that file exists" box in IIS causes 404's since, the file name is buried in the query string. So If any one can fill me in on the severity of this exploit and then I can appropriately decide if I need to make some serious changes to multiple sites or find an alternative. Thanks Brook Davies maracasmedia

My understanding of this was that anybody could run the CFM template regardless of their NTFS file permissions, for that template. Cheers --- brook@maracasmedia.com wrote: > Hello Weekenders, ----- Excess quoted text cut - see Original Post for more ----- __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com

Forgot to include another link that may help you http://www.securitytracker.com/alerts/2003/Jan/1006023.html Cheers --- brook@maracasmedia.com wrote: > Hello Weekenders, ----- Excess quoted text cut - see Original Post for more ----- __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com

Ok Thanks :) I guess my next question is: Is there any way to use the "check that file exists" setting in IIS while using SES URL's. Example: http:www.mysite.com/index.cfm/fuseaction/display/ Brook At 05:05 AM 2/2/03 +0000, you wrote: ----- Excess quoted text cut - see Original Post for more -----

brook@maracasmedia.com wrote: > Yikes - that would mean we would have to recode basically every app we have > ever made that has  and web accessible admin directory. Do you think it > would be safe to use a cold fusion scripted login routine instead of ACL's > and WIndows Authentication. If you can write a decent login it should be no problem. > Does anyone know how this exploit is exploited? What context is the CFM > template executed under? Is the application.cfm file still executed? Think of it as a priorities issue. Until CF MX the priority of the IIS security filter was higher as the priority of CF, so first the IIS security was checked and then the control was passed on to the CF Service. Now with CF MX the priority of the filter that intercepts for CF MX and and redirects them to CF MX is higher as the priority of the IIS Security filter. So the request is passed on to the CF MX service before IIS security settings are checkd. But it is still a normal request, and all the normal ACL rules still apply. Jochem

If the ACL's rules still apply, are they enough to use to restrict access? At 10:42 PM 2/2/2003 +0100, you wrote: ----- Excess quoted text cut - see Original Post for more -----

brook@maracasmedia.com wrote: > If the ACL's rules still apply, are they enough to use to restrict access? Could you elaborate? What do you want to do? Jochem

Well, for an administrative tools directory, off the root of a site. If the ACL's deny access to the IUSR account, any unauthenticated user is prompted to enter their username/password to access the cfm files within that directory (or if the files them self have these ACL's). Is that enough security for a password protected directory. An attacker would still have to guess/brute force the password to gain access to those files/directories right? Brook At 11:18 PM 2/2/2003 +0100, you wrote: ----- Excess quoted text cut - see Original Post for more -----

brook@maracasmedia.com wrote: > Well, for an administrative tools directory, off the root of a site. If the > ACL's deny access to the IUSR account, any unauthenticated user is prompted > to enter their username/password to access the cfm files within that > directory (or if the files them self have these ACL's). It is my understanding that unless you switch on "Check that file exists" nobody is asked for their u/p. Jochem

Jochem van Dieten wrote: ----- Excess quoted text cut - see Original Post for more ----- One does get asked, but any username/pass is accepted (empty too), as CFMX doesn't do an ACL check, it just accepts the ucsername/pass. Jesse

I don't see that happening. I am still prompted for a u/p. Maybe because the server does not have Updater 2 installed. I'll doublecheck - thanks. brook At 01:12 AM 2/3/2003 +0100, you wrote: ----- Excess quoted text cut - see Original Post for more -----

Dave Watts wrote: ----- Excess quoted text cut - see Original Post for more ----- Filters may take over control of a request before authentication, while extensions are always after authentication. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iisref/html/psdk/asp/isgu744y.asp > If any Macromedia people want to shed more light on the nature of the IIS > authentication problem, I'd appreciate it. I would like to know what event notifications are used by the jrun filter and what SF_STATUS code it returns. Jochem

----- Excess quoted text cut - see Original Post for more ----- If you have the ISAPI filer on, and haven't checked the "file exists" then your username/password are negated, and all requests to .cfm file are handled under the Coldfusion MX user context regardless of what you enetered. ----- Excess quoted text cut - see Original Post for more ----- Which normally is the Localsystem account, which will grant CFMX all access. Running CFMX under a different user isn't as easy as it might seem. Just changing the usercontext didn't do the trick here, it requires a bunch of registry/ACL changes too. ----- Excess quoted text cut - see Original Post for more ----- Yes it is. Jesse