From: Oisin Grehan [oisin@LABYRINTH.IE] Sent: Wednesday, July 28, 1999 7:33 AM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Seattle Labs EMURL Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hi Russ et al, In the course of evaluating different "hotmail in a box" type packages, I have discovered a potentially dangerous misconfiguration in Seattle Labs Emurl 2.0 package (I'm not aware if the problem exists in earlier versions and I'm not in a position to test). The problem lies around the (ab)use of Scripting.FileSystemObject and the fact that Emurl places any attachments that you receive via email into an easily accessible (via http) directory that is marked Scriptable. It is not possible to mark this directory for Read access only as it is beneath the Web's root (which needs to be Scriptable) and is thus inheriting this permission. This directory's location is NOT configurable by any INI directives in Emurl. The only solution I can offer is to disable Scripting.FileSystemObject and I include steps to do this at the end of this mail. As a side note, IMNSHO I believe that this [scripting.filesystemobject] should never be enabled. I'm not going to leave step-by-step instructions on how to destroy/abuse Emurl driven sites (sorry script kiddies), but it suffices to say that I've provided enough information for the more knowledgeable among us to test/verify this for themselves. What really is most distressing is that I had reported this misconfiguration/vulnerability directly to Seattle Labs nearly _three_ months ago. That is three months that Seattle Labs have willfully left their clients (and their clients' customers) open to serious abuse. The tone of their few email replies have led me to believe that they have no intention of fixing this problem in the present version and instead wish to rectify it in the upcoming version 3. Personally I think this is disgraceful; imagine buying (for example) a car from Ford (or any arbitrary vehicle manufacturer) only to discover the steering wheel falls off after a week. Imagine telling Ford this, would you think they'd tell you "Well, you'll have to buy the new model when it comes out, it'll be fixed in that."? No, I think not. I'm sorry that I'm going to have to leave egg on their [SL's] faces about this but one of the primary purposes of this list, apart from information sharing, is to prompt vendors into quick action by putting a gun to their heads. Disabling Scripting.FileSystemObject; You can completely disable this object or selectively allow instantiation for different virtual webs by use of permissions on it's registry key. For selective usage with virtual webs you should be using different IUSR_* accounts for each virtual web. Open regedt32 and open the key [HKEY_CLASSES_ROOT\Scripting.FileSystemObject] or [HKEY_LOCAL_MACHINE\Software\Classes\Scripting.FileSystemObject] (they are the same reference). Now click Security, Permissions... you should be presented with a dialog box similar to a file perms one. Remove "Everyone Read" from the list and click OK. That should close down _most_ of the harmful things possible via this hole. This is NOT a complete fix as there are many other things you can do with an ASP page if you're competent enough, that includes download/reading files (via SSI, if parent paths are enabled) from known or guessed locations on the drive. I hope this will encourage SL to get working on a patch ASAP and I hope none of you are affected adversely because of my post. Regards, Oisin Grehan Technical Manager Labyrinth Solutions Ltd. .------------------------------------------. | labyrinth p. +353-1-6624976 f. 6624978 | | | | keyid: 0x08D63965 | | pgp/fp 2123F10AE76B5E84 6102C9A67E45D446 | | keyserver http://wwwkeys.pgp.net:11371 | '------------------------------------------' -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use iQCVAwUBN57rTKwZqs0I1jllAQHH4gP9Gx+NY6pEDwVxaoGwm8RZgSdFIh+ybB8o 9boUnSQGUBEum9iHFEnGP+6Ko+oon4ZWIsdhZomiee3ghi++uVjawnAvuQ1Fe5AH TXeHpAWaL4cTEkWki8GIoTlbmKNrnprD4P5p1K0OrJHP/2D+BcSKshPu/XsTJ+DG jhAr2ogq/30= =kjPG -----END PGP SIGNATURE-----