"document path" another security question:

[noamkrief]

ever since i started using abyss web server (6 months ago) i always had a hunch that the "document path" (the place in which my website files are stored) should NOT be located on the same drive or partition of my C:\ drive (or the drive in which the OS is installed on)

For example, i'm running win2kad, and i have two hard drives on it. c:\ and d:\
my website files are on d:\

I noticed that this makes hackers a bit further.
in my logs i see alot of attemps by hackers to open my my cmd.exe
Well, it so happens that the log shows they are looking in d:\winnt\system32\cmd.exe which is not even close since the OS is on c:\

So, is there a reason to my madness in thinking that the website files are better off on a different partition or drive?

Anyway - i have some aliases that point to my c:\ drive (contredicting my own hunch and theory). Is this a volnerability?

thanks
Noam

[Anonymoose]

It doesn't make much of a difference insofar as if a vulnerability is discovered which allows absolute paths in the request you're screwed either way - a lot of the IIS worms you see scanning will also scan a D path for the cmd file

e.g.

68.63.65.63 - - [11/Nov/2003:21:32:39 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:46 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:51 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:52 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427

(taken from a post in)

http://www.aprelium.com/forum/viewtopic.php?t=2749

Remember this depends entirely on a vulnerability being found in the server to allow such a request.

The second set of requests are attacks on particular CGI files on the system - the request is for a listing of the C:\ root using the cmd.exe file, again, this depends on the vulnerability existing.

In both cases, having the webroot on a different drive wouldn't have helped since the vulnerability is allowing a request to include a full path.

However, for the paranoid, using a different webroot will stop anyone idly trying to discover directory traversals manually using things like "../../../program files/" etc as a request, knowing that ../../../ should take them up three levels from C:\program files\abyss webserver\htdocs to the root and back down into Program Files.

If you're extra paranoid (like me :P) use the DOS/console SUBST command to create virtual drives.

Typing 'subst M: C:\webroots\httpd\htdocs' at a command prompt on your machine will create a virtual drive M: on your machine which has htdocs as its root. Now there are no higher levels at all to traverse to :D When you set up your aliases, use the M:\ path instead of C:\Program Files\Abyss Webserver\htdocs.

Hope this helps!

[Anonymoose]

Just to add, I'm not entirely sure what would happen if you tried directory traversal with an aliased directory, e.g /files/../../ when /files is an alias to C:\httpd\htdocs\, i think that would depend entirely on the internal workings of the particular webserver being played with.

[noamkrief]

I LIKE!!!!!!!!
subst, i never heard of it before.
I have to actually do this type of thing fo some synchro batch files i wrote for my network.
I always used :
net use m: "c:\website files" /user:domain\user password

That creates a "local network drive" if there is such thing.
I like your command better! subst creats a REAL virtual drive...
I'll get on it and convert!
thanks so much!
Noam

[aprelium]

noamkrief,

Since Abyss version 1.1.2, the URL parsing engine was modified to "clean" malicious URLs. So all the ./, ../, .../ variations are understood and the server won't allow a web page to be served from a file that is below the documents path level (or the alias real path level). This is handled by a double-security mechanism.
_________________
Support Team
Aprelium - http://www.aprelium.com