Adam, The passwords are encrypted in the metabase. However, if you're viewing them as an administrator, they're decrypted on the fly as part of the display process. That's probably why they seemed to be plaintext. Cheers, Secureat_private -----Original Message----- From: Adam Sampson [mailto:azzat_private] Sent: Monday, June 21, 1999 3:19 PM To: BUGTRAQat_private Subject: IIS 4.0 admin bug I've been doing some work with automatic administration of IIS 4.0 on Windows NT 4/SP4 over the last couple of days, and noticed a security problem. If I create a IISWebVirtualDir (sorry, don't have the machine in front of me at the moment, so my spellings/names might be wrong), I can set a username and password with which the directory will be read (which is handy for reading directories that the webserver otherwise wouldn't have access to). The IIS Programmer's Guide states that the password is stored encrypted in the metabase, when it's actually stored as plaintext---a security problem if you can dump the metabase data by other means, as you'll get plaintext valid user IDs and passwords. This seems like MS trying to cover up an obvious security problem by incorrect documentation. Of course, given the other hoops I've needed to jump through to get what should be a relatively simple admin task done automatically, I wasn't really suprised. -- Adam Sampson azzat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:49 PDT