Data handling is a major responsibility for a web application. The data processed by the application might include sensitive information like user details, credentials, product functionality and many more. There are many servers running on Microsoft site server have major vulnerabilities through which an attacker can access various administrative pages with an unprivileged non-administrative server access. These administrator pages contain sensitive information, if going to wrong hands can completely compromise the application. Microsoft Site Server 3.0 prior to Service Pack 4 installs a default user on the web server named LDAP_Anonymous and password LdapPassword_1. A remote attacker can use these credentials to log into the server locally. Using these credentials, the attacker can perform any actions on the server without leaving any trail. The password for LDAP_Anonymous is hardcoded into the \winnt\system32\pNmsrvs.dll and \winnt\system32\inetsrv\dscomobj.dll. Thus, changing the password through the registry setting has no effect. After logging out, the system automatically removes all traces of its use in LDAP_Anonymous account.
The sensitive files that can be leaked using this vulnerability are:-
- /SiteServer/Admin/knowledge/persmbr/vs.asp
- /SiteServer/Admin/knowledge/persmbr/VsTmPr.asp
- /SiteServer/Admin/knowledge/persmbr/VsLsLpRd.asp
- /SiteServer/Admin/knowledge/persmbr/VsPrAuoEd.asp
Impact
Using this vulnerability, an attacker can:-
- get unprivileged access to the server.
- steal sensitive information about the application.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Install the latest patch by Microsoft for fixing this vulnerability.
