RE: Warning: Security Hole With IIS & Tomcat

[Randy Layman <ra...@aswethink.com>]

	I would have to say probably not.  The exploit that we saw a few
weeks ago was that you can send IIS a command to go .. outside of the
inetpub directory (thus going above the root).  If you have the default
installation, and inetpub is on the same drive as your WinNT partion, it
allows the hacker to run cmd.exe, from which they can do just about whatever
they want.

	The solution to this problem is to have inetpub on a different drive
from your WinNT directory.

	Randy

-----Original Message-----
From: Russell, Steve [mailto:Steve.Russell@valueoptions.com]
Sent: Friday, July 27, 2001 9:47 AM
To: 'tomcat-user@jakarta.apache.org'
Subject: Warning: Security Hole With IIS & Tomcat


 Hi;

My company is running a jsp site on IIS 5 with windows 2000, and all of
the security patches.


We discovered that if we use tomcat or jrun 2.3.3 with IIS that that 
we have to set up the tomcat ( or jrun ) directories as virtual directories
___with execute permissions turned on__.


This got us hacked into.

I don't understand how.  It has something to do with how IIS handles 
malformed urls leaving IIS open to attacks if directories associated with 
a web site have execute permissions granted.

Does Apache have a similar vulnerability? 

Steve Russell 
Web Developer III 
ValueOptions - Lifescape 
703-205-6589 
steve.russell@valueoptions.com 



**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender by email, delete and destroy this message and its 
attachments.


**********************************************************************