-
March 6th, 2002, 11:54 PM
#1
Bug in security policy for NT and IIS
NT user (who is locked changing his/her password by administrator) can bypass the security policy and Change the password.
Read more at www.xatrix.org
-
March 7th, 2002, 12:12 AM
#2
NT user (who is locked changing his/her password by administrator) can bypass the security policy and Change the password.
Vulnerable:
Microsoft Windows NT Server 4.0 + IIS 4.0 + Service pack 6.0
Description:
Valid NT user can bypass the administrator security policy "user cannot change password" and can change his/her password through web based ".HTR" application.
Valid NT user whose account is locked changing his/her password by administrator i.e. (Administrator applied the policy " user cannot change password") can still "Change his/her password through IIS Web service http://iisserver/iisadmpwd/aexp3.htr ". This is possible with disabled accounts also.
Enter valid user id and password (who can not change his/her password).Enter new password. It is by passing the security policy "user can not change password" and password got changed.
The following files can also be used for the same
http://iis-server/iisadmpwd/aexp2.htr
http://iis-server/iisadmpwd/aexp2b.htr
http://iis-server/iisadmpwd/aexp4.htr
Vendor status
Microsoft was informed about this.
Response from Microsoft
"The particular policy you've mentioned, locking users out of changing Passwords, isn't something that this tool, when developed, was designed to account for.
Again, though, we want to reiterate that .HTR is a deprecated technology and we very strongly urge you to unmap .htr if at all possible. The preferred method of handling accounts through HTML pages is through the use of ADSI now. As I noted, we are looking to see if we can provide an ASP based application to replace the HTR-based application at some
point."
Solution
.HTR should be disabled by unmapping. Avoid using .HTR based password
changing application.
KOBBRAS - ermm not that am complainin or anything but can you please put the EXACT link next time? coz im sure you know that the main page changes from time to time coz of new articles and if this article disappears in the main page after certain of time, the others wont know what you were talking about coz they cant find it. But its a good post tho Keep it up.. with proper link next time tho..
-----------------------------------
And why the heck did MS create those htr pages? hmm.. another "toy" thats supposed to be a good thing went wrong i suppose.. man, M$ never learn.. not to mention the UPnP in XP.. eeehh.. oh well.. atlaest they noticed the public.. Nice post KOBBRAS
-
March 7th, 2002, 11:02 PM
#3
-
March 7th, 2002, 11:16 PM
#4
Member
my m$ book is used as TP.
LATER-
__________________________
Computers make sense people
DON\'T.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|