DCSIMG
Beware of wildcard characters MIME mappings in IIS - אליק לוין

אליק לוין

עולמו של יועץ ממיקרוסופט

Beware of wildcard characters MIME mappings in IIS

I found it useful to do some check with IIS when conducting security deployment inspection

From http://support.microsoft.com/default.aspx/kb/326965:

 

SYMPTOMS

When you request a file from an IIS 6.0 Web server, and the file has a file name extension that is not a defined MIME type on the Web server, you receive the following error message:

HTTP Error 404 - File or directory not found.

and then:

RESOLUTION...

It might look like it is a problem but it is just another countermeasure against possible attacks. IIS 6.0 does not serve unregistered file extensions. With IIS 5.0 files with  unregistered extensions would be served for download.

Imagine situation that admin changes web.config file but saves the original one with .old extension. With IIS 5.0 attacker could navigate to it directly like this www.mysite.com/web.config.old. The result would be web.config.old handed to the attacker without any restrictions.

Since .old is not registered with IIS 6.0 and there are no wildcard chars by default  [which is not the case with IIS 5.0/5.1] IIS 6.0 would return 404 for above request.

If you use non standard .Net files like .ini, .old, .bak I'd recommend:

- Do not do it. Do not deploy unnecessary files.

- If you have to, then protect it in your web.config using HttpForbiddenHandler

- If you use IIS 5.0 [Win2k] - isn't it time to move on?

- If you use IIS 6.0 - beware when applying wildcard characters MIME mappings in IIS' metabase

Cheers

פורסם: Nov 30 2006, 02:02 PM by alikl | with no comments
תגים:, ,