Results 1 to 4 of 4

Thread: Bug in security policy for NT and IIS

  1. #1

    Bug in security policy for NT and IIS

    NT user (who is locked changing his/her password by administrator) can bypass the security policy and Change the password.

    Read more at www.xatrix.org

  2. #2
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    NT user (who is locked changing his/her password by administrator) can bypass the security policy and Change the password.


    Vulnerable:

    Microsoft Windows NT Server 4.0 + IIS 4.0 + Service pack 6.0

    Description:

    Valid NT user can bypass the administrator security policy "user cannot change password" and can change his/her password through web based ".HTR" application.

    Valid NT user whose account is locked changing his/her password by administrator i.e. (Administrator applied the policy " user cannot change password") can still "Change his/her password through IIS Web service http://iisserver/iisadmpwd/aexp3.htr ". This is possible with disabled accounts also.

    Enter valid user id and password (who can not change his/her password).Enter new password. It is by passing the security policy "user can not change password" and password got changed.

    The following files can also be used for the same

    http://iis-server/iisadmpwd/aexp2.htr
    http://iis-server/iisadmpwd/aexp2b.htr
    http://iis-server/iisadmpwd/aexp4.htr

    Vendor status

    Microsoft was informed about this.

    Response from Microsoft

    "The particular policy you've mentioned, locking users out of changing Passwords, isn't something that this tool, when developed, was designed to account for.

    Again, though, we want to reiterate that .HTR is a deprecated technology and we very strongly urge you to unmap .htr if at all possible. The preferred method of handling accounts through HTML pages is through the use of ADSI now. As I noted, we are looking to see if we can provide an ASP based application to replace the HTR-based application at some
    point."

    Solution

    .HTR should be disabled by unmapping. Avoid using .HTR based password
    changing application.


    KOBBRAS - ermm not that am complainin or anything but can you please put the EXACT link next time? coz im sure you know that the main page changes from time to time coz of new articles and if this article disappears in the main page after certain of time, the others wont know what you were talking about coz they cant find it. But its a good post tho Keep it up.. with proper link next time tho..

    -----------------------------------

    And why the heck did MS create those htr pages? hmm.. another "toy" thats supposed to be a good thing went wrong i suppose.. man, M$ never learn.. not to mention the UPnP in XP.. eeehh.. oh well.. atlaest they noticed the public.. Nice post KOBBRAS

  3. #3
    OK, no problem

  4. #4
    my m$ book is used as TP.
    LATER-
    __________________________
    Computers make sense people
    DON\'T.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •