Server: Microsoft-IIS/7.0\r\n

I would like to invite you to participate in this online survey; which will take approximately ten minutes of your time. The topic of this survey would be “Security software in Ecommerce Development“ and I am very interested in hearing your opinion about this particular topic. This survey is an important part of my master thesis that I am researching at the Faculty of Technology at University of Portsmouth, UK.

All data received from this questionnaire will be treated as confidential and individual responses will not be publicized. As a small token of
appreciate, you will be able to download the final report in PDF format at the end of this research. In addition, you will stand a chance to win one of the following prizes plus a copy of my first publication (Securing IIS 6.0 ISBN: 1931836256)

1st Prize
Wireless Optical Desktop Pro
2nd Prize
SideWinder Precision Racing Wheel
3rd Prize
Notebook Optical Mouse

To complete the questionnaire, please visit http://www.5i4k.com/bb/
Thank you for your participation. If you have any questions, please do not hesitate to contact me (qbernard AT hotmail.com).

Cheers.

Now, from time to time you will see similar questions in newsgroups or discussion forums. One would asked 'IIS better or Apache?', 'Can you tell you whether I should pick IIS or Apache?' ...... well again - no one will be able to answer you unless you provide more detail including the detail requirements, operation environment, integration planning and etc. If it's just pure web server, both are decent and you can pickup either one you like. Of coz, there are cost factor, supports,  maintenance and etc considerations. Hence, only after all these facts are known, then you will begin to evaluate each product and see which one best fit your needs.

Next, just read this from Michael Howard's blog, where he is doing a study on the lastest IIS 6 vs Apache 2.x security. Part one was posted few days ago,  so there were two bugs filed against IIS6 since launched :) I did talk about this too... but I won't categorized it as a 'real BUG' if you had locked down the server properly. Anyway, there were some comments on why compare with 2.x because according to study 1.x cover majority of Apache share in Web server market. Hence, today - Micheal posted analysis compare IIS6 and Apache 1.x, detail in part two. Still not convince ? hmm.. wait till IIS 7.0 then :)

Today, Microsoft released additional info and tools in conjunction with the vulnerability. Got this detail from my lead - Ben. Here's the updates:

New tool - Module Scanner
887290 How to use the ASP.NET ValidatePath Module Scanner (VPModuleScanner.js)

Deploying methods - GPO and SMS2003
887405 How to use Windows Installer and Group Policy to deploy the VPModule.msi in an Active Directory domain

887404 How to use Systems Management Server 2003 to deploy the ValidatePath module

Information:
887289 HTTP module to check for canonicalization issues with ASP.NET
Updated security incident page - What You Should Know About a Reported Vulnerability in Microsoft ASP.NET

Microsoft just released the October security bulletin. 7 critical + 3 important + 1 re-issued.

Critical:
MS04-032  Security Update for Microsoft Windows (840987)
MS04-033  Vulnerability in Microsoft Excel Could Allow Code Execution(886836)
MS04-034  Vulnerability in Compressed (zipped) Folders Could Allow Code Execution (873376)
MS04-035  Vulnerability in SMTP Could Allow Remote Code Execution (885881)
MS04-036  Vulnerability in NNTP Could Allow Code Execution (883935)
MS04-037  Vulnerability in Windows Shell Could Allow Remote Code Execution (841356)
MS04-038  Cumulative Security Update for Internet Explorer (834707) 

Important:
MS04-029  Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350)
MS04-030  Vulnerability in WebDav XML Message Handler Could Lead to a Denial of Service (824151)
MS04-031  Vulnerability in NetDDE Could Allow Remote Code Execution (841533)

Re-issued:
MS04-028  Microsoft Office XP, Project 2002, Visio 2002,Windows Journal Viewer Remote Code Execution

IIS related:
MS04-030 - Affected components: WebDAV
                 IIS versions: IIS5.0, IIS5.1 and IIS6.0
                 XP Pro SP2 (IIS5.1) not affected.  

MS04-035 - Affected components: SMTP
                 IIS versions: IIS6.0
                 W2K (IIS 5.0) and NT4.0 (IIS4.0) are not affected, however the vulnerability will exists if you deploy Microsoft Exchange Server 2003 Routing Engine component on Windows Server 2000.
   
MS04-036 - Affected components: NNTP
                 IIS versions: IIS4.0, IIS5.0 and IIS6.0
                 W2k Pro (IIS5.0) and XP Pro (IIS5.1) are not affected as NNTP component is not available.

New layout and features for Microsoft Help and Support website, Hmm.... nice :)  Support passport login and allow you to customize you own 'support center' + bookmark your favorites support + article rating + feedback + additional comments on article + improve incident submission experience and more...

But WAIT!!!!!! is it really that nice? well, I think some parts can be improve. For example, the 'select a product' - either list all or have major section with drop down list box, instead of 'more.... ' and 'more....' to find the product I wanted, also if would be nice to use a much more meaningful url say ?p=iis&v=6, rather than ph/2097 or 2094 and etc. what the heck is 2097 ? I mean for regular user like me, I would just change the url, rather than click here and there to select whatever product I want. Also if would be nice to control the display or hide the right toolbar..... information like - search, additional resources... I don't need that ! I mean I want to have control on this part as well.

Once cool feature  is the translations of the article ! I used to type zh-cn or etc to see if it got translated, for now, you can just select from the right 'section' of the page, if the kb is translated, you will see the language listed in the dropdown list, all you need to do is select the desire language and click the '->' button. if the language is not listed in the dropdown list, meaning it's not translated to that specific language.

And what is this 'Need More Help?' together with 3 questionmark images ??? You will find two 'need more help' in each kb article, at top right and bottom of the page. Marketing???

Microsoft has released a HTTP Module installer in response to this vulnerability. The incident page has been updated, together with a new KB 887289 - HTTP Module to check for canonicalization issues with ASP.NET, detailing the MSI package and changes information. This is a server-wide fix, it offers the same checking as per KB 887459. You are advice to install this 'protection' workaround ASAP, you can get this package here. Note: please backup your machine.config file before installing the package.

On the other hand, I was chatting to Mark Burnett (IIS MVP, author for Hacking the Code: ASP.NET Web Application Security) since yesterday. Interestingly, I felt that the 'hole' is in asp.net isapi filter which fails to check the requested URL path, and lead to unauthorized access. Here's the part of Mark's analysis:

---
There has been some confusion with the ASP.NET forms authentication issue and I wanted to clarify some points. First of all, this is really an authorization issue, not an authentication issue. This sounds trivial but the difference helps to understand what's happening here. Authorization is what determines if authentication needs to happen.

Normally when you make a request for a protected resource, ASP.NET checks the web.config to see if there is an authorization rule for that resource. If there is no match, it checks the authorization section in the web.config of each parent application all the way up to machine.config, which by default allows everyone to access everything.

The problem here is that by using a backslash, the code that compares the path string and the protected resource always fails. It does not properly match the path string to anything in web.config and eventually ends up in the machine.config, which allows access (note that this current vulnerability applies to the backslash, but it could potentially be any form of obfuscation that IIS might allow). Since it does not find any rules requiring authentication, it allows access to the resource without prompting the user for credentials, because it sees no need to do so. Therefore, it is not an authentication issue because it never gets to that point. Also, this means that it does affect both Forms and Windows authentication (assuming the NTFS permissions allow access to the ASP.NET process).
----

For full analysis and other discussions, you can subscribe to this list.

This is an update for yesterday - ASP.NET Vulnerability as there's been many developments sicne yesterday. To conclude - this vulnerability apply to every all platforms running any version (as of today) of .NetFramework and using ASP.NET, either via Form or Windows authentication. Though, for IIS5.1 and below you can deploy URLSCAN to filter the '\' or '%5C' illegal requests, however, it is recommended that you apply the workaround stated in the KB 887459, as this is an ASP.NET attack rather than an exploit on IIS server.

Next, so do IIS6 vulnerable? The answer is NO, because IIS6 has better and tighter parsing restriction - here's what I have tested.

With urlscan:
Browsing: http://localhost/test%5Cblabla.aspx
The request was rejected by URLScan - as expected.
Client at xxx.xxx.xxx.xxx: URL contains sequence '\', which is disallowed. Request will be rejected.  Site Instance='1', Raw URL='%5Cblabla.aspx'

Browsing: http://localhost/test\blabla.aspx
The request was NOT rejected by URLScan - Ding !! (Updated 2:30pm (GMT+8), this is due to IE replaced the \ to / hence it's valid - Thanks to Ken Schaefer. However in Mozilla, it will be replaced with %5C)
GET /test/blabla.aspx - 80 - 127.0.0.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) - - localhost 302 0 0
And it's redirected for to default.aspx for authentication.

Without ulrscan:
Browsing with either '/' or '%5C', you will get:
GET /test/blabla.aspx - 80 - 127.0.0.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) - - localhost 302 0

Hence, IIS 6 is not vulnerable. But then again you are advise to apply the workaround code in your asp.net app. Next, an interesting fact - both '\' or '%5C' are captured as '/' in the IIS log file (/blabla.aspx), it's quite bad (IMHO), as we never know the orginal request detail.

Note: Tested with IE 6 and Mozilla 1.7

Recently, a newsgroup user found my MSN ID and starts msn me. Well of coz, I don't really like to do newsgroups support over MSN, so he changed the subject to what is MVP? as usual, I just give him this link. Bla bla bla..... we continue to chat, well it was about 15mins. One of the question was - how do you spend your day as a MVP? and you seems pretty active online, don't you have a day job :)  

FYI, I do have a day job :) let's not talk about it here. They have 'eyes' everywhere !  Now, I'm an IIS MVP, so I in most of the IIS related communities, of coz skip those others languages specific community. E.g. .jp, .kr and etc. Here's where I go everyday :)
First, ASP.NET, IISFaq, and IIS-Resources. Postings for the above 3 web based forums take about 10 percent of my total participation. I still preferred NNTP based of discussion ! Then I will move on the public newsgroups. that's msnews.microsoft.com, or this if you insist on web based. I have almost everything related *.iis and .inetserver.*. And yes, I can read, write both Chinese (Simp and Trad) and I  do speak Mandarin, Cantonese and bla bla  :)  To bad, I don't know japanese, If not, I would have cover the .jp group as well. For public group, I have all together about 20+ groups, including windows.server.security and others, some of them are for reading and information only. This server has the highest postings, average I will get about 800-1K, of coz I don't really read each item, but I do read MOST of the items.

Next, private server in .cn and .directaccess, about 10 groups in total, mainly related to IIS and SQL (read only) - traffic in these groups are moderate, about 150 max on the weekdays and few over the weekend. Finally, the MVP private newsgroups, I hardly post here unless I need help, but the traffic here is quite high ! well, ranging from hard core technical discussion to something completely off topic :)  I can't tell you more because it is under NDA restriction.

Now, that's pretty much the core part. for some extra cheese, I help few local communities as well - including MIND, and MOPIT, don't ask me what kinda of name is that? I have no clues, I'm just there to help. Traffic is low, but it is picking up slowly, and hopefully will see more quality posts there.

The conversation continue.... so how long you take to read all the posts?  Now, that's the tricky part, in total I spent about 3 - 4 hrs each day. 15% if I'm free during office hours :)  then the remaining after dinner or middle of the night. When I'm traveling, it's very hard to catch up, and it could end up as much as 5 to 6k postings depending on how long I'm abroad. Then came the next question, why do you want to do it? The answer is simple! because I love it :) because that's something I'm interested, because I can learn a lot from newsgroups, because I can find satisfaction in the newsgroups, because I can get to know more people, because .....  the list just go on and on..... last but not least ! because I'm a MVP, and that's part of the nomination criterias you need to fulfilled. Of coz, don't do it because of the award, if yes I don't think you would last wrong.

It's coming to the third years and I'm glad that I'm still part of the team! Oh, I finally got my profile up at MS site, here's the link.