admin
06-24-2003, 10:00 AM
Package: SurfControl Web ****** for Microsoft ISA
Vendor Web Site: [Only registered and activated users can see links]
Version: 4.2.0.21
Platforms: Windows 2000 Server
Local: No
Remote: Yes
Fix Available: No (recommended steps listed below)
Vendor Contacted: Sunday, June 08, 2003
Advisory Author: Thomas Adams ([Only registered and activated users can see links])
Background:
SurfControl Web ****** is a url filtering system, designed to be easily
deployed onto most networks. SurfControl for Microsoft ISA is a plugin
the allows the Microsoft ISA server to have more control over the
internet usage. The plugin still allows most of the same benefits from
the stand alone product including: customizable reporting, easy admin
interface, and the remote interface for report retrieval.
Exploit:
An attacker is able to view/download any file from the server using a
directory traversal attack:
[Only registered and activated users can see links]
Vendor Response:
SurfControl team was notified concerning the above vulnerability.
SurfControl had previous knowledge that this existed on the stand alone
SurfControl platforms, but did not know it existed on the plugin for
Microsoft ISA. They recommended disabling the reports server and said it
is turned on by default for "convenience to users." Convenience before
security from a leader in ****** products?
To disable the report server, go to Admin Tools> Services> and stop
SurfControl Web ****** Report Server
Vendor Web Site: [Only registered and activated users can see links]
Version: 4.2.0.21
Platforms: Windows 2000 Server
Local: No
Remote: Yes
Fix Available: No (recommended steps listed below)
Vendor Contacted: Sunday, June 08, 2003
Advisory Author: Thomas Adams ([Only registered and activated users can see links])
Background:
SurfControl Web ****** is a url filtering system, designed to be easily
deployed onto most networks. SurfControl for Microsoft ISA is a plugin
the allows the Microsoft ISA server to have more control over the
internet usage. The plugin still allows most of the same benefits from
the stand alone product including: customizable reporting, easy admin
interface, and the remote interface for report retrieval.
Exploit:
An attacker is able to view/download any file from the server using a
directory traversal attack:
[Only registered and activated users can see links]
Vendor Response:
SurfControl team was notified concerning the above vulnerability.
SurfControl had previous knowledge that this existed on the stand alone
SurfControl platforms, but did not know it existed on the plugin for
Microsoft ISA. They recommended disabling the reports server and said it
is turned on by default for "convenience to users." Convenience before
security from a leader in ****** products?
To disable the report server, go to Admin Tools> Services> and stop
SurfControl Web ****** Report Server