locked
IE7 FTP Security Issue RRS feed

  • Question

  • I have run into a security hole in my ftp site that has only now become a problem with IE7.  The structure of my ftp directory involes several streaming media folders and a Client folder in the root directory.  The contents of the client folder and its children are all password protected.  Inside these folders I upload content for my clients to view approvals and allow them to upload files for my own use.  The root directory has read-only permissions for everybody because of the streaming content I am hosting.

    In the past when a client logs into their ftp folder, the password protected nature of the client folder prevents them from moving up in the hierarchy outside of their folder. 

    In IE7 however, I have found that a client can now leave her folder and move all the way through my hierarchy, into all of the folders I have designated read-only for everybody.  She can not of course enter other client's folders because of their password requirements; however, I do not want a client to have the ability to navigate through these parent directories even if she only has read persmissions. 

    I suspect this issue has to do with the new way IE7 reads ftp folders. 

    What solutions do you suggest?

    I am considering creating a second domain specifically for client files, thus separating the streaming material.   I suspect this would solve everything, however I would prefer to just reconfigure my current setup if there is a solution present. 

    Thanks for the help,

    - Martin Walsh
    Assistant Editor
    Metro Productions
    Monday, January 29, 2007 6:32 PM

All replies

  • *sigh*  Not even an admin response?
    Thursday, February 1, 2007 9:10 PM
  • MS really screwed the pooch on this.  I wonder who the genius was who decided that the hand full of people that use IE with FTP or serve FTP wouldn't mind replacing a very smooth experience with this cluster f.
    Monday, February 5, 2007 8:55 PM
  • Martin,

    I'd like to get some more information about your setup and see if the issue is a bug in the server, misconfiguration of the server, or bug in IE. I have sent you an email to the address listed in your profile. If the email address currently listed is not correct, please update it and post a reply to this thread; I'll send my email to your correct address.

    -Kedar

    Thursday, February 22, 2007 1:15 AM
  • Kedar, I can supply you with any information you need to know.  I am also experiencing the same problem and wish to have it resolved as soon as possible.  Our current ftp site is set up on server2000.  With windows explorer we have no problem, but with IE7 all folders on the site are exposed with full control.  I've even created another ftp site on Server2003 thinking this was a IIS problem but I get the same results.  Feel free to contact me at buc_fan88@yahoo.com.
    Thursday, February 22, 2007 1:33 AM
  • KMcConnell,

    I have sent you an email to the address you specified. Please respond to it at your convenience, so that we can investigate the possibility of a bug in this scenario.

    -Kedar

    Monday, February 26, 2007 5:31 PM
  • well, I am having the same problem.  Hoping to get a result asap.  thanks
    Tuesday, February 27, 2007 12:29 AM
  • This has been a real tragedy for me - virtual FTP users are dropping right into my FTP root when they use IE7. Untold client secrets are effortlessly revealed.

    Fortunately, I've got a temporary workaround you might try...seems to work for me...

    Change your default FTP ("home") directory in IIS to an empty folder somewhere. I called mine FTPRoot_Empty. Give people Read access, not Write. When it popped up asking if I wanted that to affect my several hosted sites, I selected none of them and just clicked OK.

    Now logging into an ftp:// link in IE7 drops users into that empty directory. Then they can be instructed to use the Page | Open FTP site in Windows Explorer feature. When they're again prompted for their username/password, it opens to the virtual FTP directory appropriately, at least in my preliminary tests.

    I'm a programmer, not a server guy, so if you're a guru, *please* let me know if I'm going to have some negative results from this change. I've not had time to test it like I'd like to.

    Full credit goes to http://weblogs.asp.net/owscott/archive/2004/02/05/68423.aspx that gave me the idea.

    MS, please, please get a fix for this. Who knows who can see what out there.

    Wednesday, February 28, 2007 6:06 AM
  • Let's be clear here: You're currently relying on security through obscurity.  Anyone can use another FTP client or send their own custom FTP commands to do the same thing that IE7 is presently doing.

    You should set your file system permissions such that unauthenticated users cannot view folders you don't want them to see.

    Wednesday, February 28, 2007 7:54 PM
  • Mr. Yagcioglu,

    I have sent an email to the address you've listed in your profile asking for additional information so we can check what's going on here.

    -Kedar

    Thursday, March 1, 2007 1:01 AM
  •  KedarH - MSFT wrote:

    Mr. Yagcioglu,

    I have sent an email to the address you've listed in your profile asking for additional information so we can check what's going on here.

    -Kedar

     

    Mr. Yagcioglu,

    It appears that the email address you have listed is invalid. Please list a valid one and post a reply to this thread if you wish to communicate with me about this issue.

    -Kedar

    Thursday, March 1, 2007 5:11 PM
  • Eric,

    I appreciate the reply, but in all of my testing, what that's not been the case for me. I've set up virtual FTP users for years. In IE6 and in FTP clients (I just tested one), those users would drop right into the folder I told it to put them into, and not be able to get to the FTP root.

    Now, when a user logs in using IE7, that user automatically drops into my server's FTP root, and they can see the names of all of the subfolders there. That's a problem for me. And yes, they can see the folders even if I've removed the list permission from their user account for that folder.

    My request for a fix is related to the fact that IE7 drops virtual FTP users into my FTP root instead of their assigned subfolder. I'll even admit that at the time, because I'd never needed it before, I hadn't removed all the permissions on the subfolders. Of course, no one could get to them anyway (unless I'm told otherwise). I figure there are others with that same problem. Admins need to know their FTP users will be "seeing up their skirts." Don't you agree?

    BTW, according to your post, the virtual FTP feature has always allowed any user using any FTP program other than IE7 to go up levels into the FTP root. In my experience that's not the case, and my FTP client test today didn't allow it...of course, maybe I just don't know how. Is that true for anyone else - could virtual FTP users get to your FTP root using an FTP client other than IE7?

    Thursday, March 1, 2007 10:00 PM
  • Kenny,

    Eric is correct in saying that using another FTP client, such as ftp.exe that comes bundled with Windows, or telnet, a user who has a username and password to your server can access any of the files on your FTP site. The fact that IE or Explorer used to drop users into their home directory and made it look like the root of the server is a client-side, convenience feature. This has always been the case.

    As it turns out, Kenny, your particular issue is well-understood by our team and we have an active bug on it. I'll add your comments to the bug.

    There are three things you should do: firstly, make sure the Windows ACLs on each user's folder allows only them to see into it. This way, although any user will be able to see the existence of other users' folders over FTP, they will not be able to see the contents. Secondly, look into a feature of IIS called "user isolation" or "isolation mode." I don't remember the details of how it works, but I seem to remember it is one way to get around this bug. Thirdly, I believe if you tell your users to open Explorer and do the navigation there, then they should get the old behavior. The bug only applies to IE, not Explorer.

    Hope this helps

    -Kedar

    Friday, March 2, 2007 6:06 PM
  • Hi,

    I'm also having this issue, could you inform me please of what transpired from this reported Bug. I've found reference to this problem all over the web but with no viable solution in sight. I would really appreciate some advise.

     

    Thanks in advance  

     

    Tim  

     

    Wednesday, June 27, 2007 3:44 PM
  • This thread is over a year old and we still have this major security flaw.

     

    IIS FTP Isolation Mode does not resolve the problem.  Even in Isolation Mode IE7 users are dropped into the FTP Root rather than the folder matching their username. 

     

    Very bad.

     

    Wednesday, May 7, 2008 12:50 PM
  • I have run into the same problem. This seems to have something to do with active directory. As my users on AD who also have an account on my vsFTP server have this issue. But those users who do not have AD credentials are prompted for a username and password. I am continuing to check if the local users NOT on ad drop into root also.

    The base issue, I think, is that vsFTP needs to close this security hole. As the server should not allow unqualified users full access to file systems. Even though it is IE7 that has the security problem, the server side should never allow this to occur.

    For an interim fix, I found that if I use chroot with users individually put in chroot jail, they can see the filesystem but can open no files.
    If I have chroot all users EXCEPT those listed in the file, AD users drop into the root directory.
    Monday, July 7, 2008 3:35 PM
  • While this is a bug, it is not a security flaw in any sense.  If your server is configured such that a client can expose things you don't want to be seen, then your server is misconfigured - whether IE reveals these things by default or not has no importance from a security standpoint.  IE talks FTP... it cannot have a bug that leads to a security issue on your server; only the server can have such a bug (and that isn't the problem here).

     

    To reiterate - if you've made it readable to a particular user, then an FTP client can legitimately read it when logged in as that user.  Whether or not any particular FTP client DOES read it is irrelevant; the security issue is with your configuration, not with IE.

    Tuesday, July 29, 2008 4:16 PM
  • What FTP host are you using?
    Tuesday, August 5, 2008 2:41 AM
  • So what security settings do you suggest on the server?

    Tuesday, October 14, 2008 2:38 PM