IIS 5.0 Vulnerability

[t2k2]

Hey, does anyone out there use Apache Web Server for Windows? Just curious if it's any better than IIS with the vulnerabilities and performance and such. I have quoted the entire bugtraq notification I received via email. This should be enough incentive to patch your installation. Maybe IIS 6.0 will be a little better; then again, that's what they say about every release.

SYSTEMS AFFECTED ========



IIS 5.0 / Windows 2000

SP2 - SRP1

(exploited with a browser)


CONTENTS =========



Subject: IIS 5.0 Cross Site Scripting Vulnerability

Date: 27 September 2002

Risk: Medium


DESCRIPTION =========



IIS 5.0 can be forced to return malicious content in user's browser.

By using a large buffer URL with the idc extension, IIS shows a non-standard error page,

which contains also the entire address submitted.

The problem is that the address returned is not urlencoded, then is possible to store a script in the url,

that will be executed by the browser.


DETAILS =========



http://server/<long_buffer>.idc



http://server/<long_buffer><script_to_execute>.idc



The total buffer must be long at least 334 chars.



In the second case, <script_to_execute> is parsed by the server, printed in the html error page

and executed by the browser.



This may be used in a link for browsers and email clients.


RISKS ==========



Stealing cookies which may contain critical data (personal informations, passwords, etc).


WORKAROUNDS ========



Remove the .idc extension from application mappings.

Update to SP3.



VENDOR STATUS ========



Microsoft was notified on 10 September.

They confirmed, according to my testing on Win2k and their testing on WinNT,


that this problem has been remedied with the latest SP and patches.

[mupp3t]

I belive apache is better. i dont personaly use it, but from what i have heard, its better.
I think statistics wise, more ppl use apache than anyother one. dont quote me on that

[yanyo]

Today in every platform you need to worry about patching your servers and reading securiy alerts. When the code red worm Apache users were laughting and now they have the similar slapper worm.

[Jehnny]

Thanks a ton for posting this, t2k2.

yanyo: Exactly my thoughts.

[Redbone]

I like Apache better than IIS, but it isn't so much because of security as it is flexibility. I tend to write a lot of Java servlets and JSP and I like how easily Apache hands off Java processes to Tomcat. So make your decision based on what you need the server to do first, and then by the number of security patches you have to apply second.

But remember, yanyo is correct. You need to keep up with all of the security patches for any software that you use regularly.

[Xenon]

Comparing IIS to Apache is like comparing swiss cheese to cheddar. With any web server you will have to be vigilant on monitoring any security patches that might be made available. However, IIS by far has more holes out of the box and is a favorite for attackers. Get a real web server, get Apache.

[problemchild]

When the code red worm Apache users were laughting and now they have the similar slapper worm.

While I agree that there's a certain amount of comeuppance involved in Slapper, I don't think it's entirely accurate to compare Code Red and Slapper aside from the fact that they spread in a similar way. IIS garnered more then 350,000 Code Red infections with less than 25% of the server market, whereas Apache has about 62% of the market and has seen about 10,000 Slapper infections. Big difference there.

The simple fact is that IIS is being disproportionately targeted by attackers, and people will argue about the reason, but the reason is pretty well irrelevant. What matters is that they are succeeding, and that's what you have to look at in choosing a web server.