mwalsh

I have run into a security hole in my ftp site that has only now become a problem with IE7. The structure of my ftp directory involes several streaming media folders and a Client folder in the root directory. The contents of the client folder and its children are all password protected. Inside these folders I upload content for my clients to view approvals and allow them to upload files for my own use. The root directory has read-only permissions for everybody because of the streaming content I am hosting.

In the past when a client logs into their ftp folder, the password protected nature of the client folder prevents them from moving up in the hierarchy outside of their folder.

In IE7 however, I have found that a client can now leave her folder and move all the way through my hierarchy, into all of the folders I have designated read-only for everybody. She can not of course enter other client's folders because of their password requirements; however, I do not want a client to have the ability to navigate through these parent directories even if she only has read persmissions.

I suspect this issue has to do with the new way IE7 reads ftp folders.

What solutions do you suggest

I am considering creating a second domain specifically for client files, thus separating the streaming material. I suspect this would solve everything, however I would prefer to just reconfigure my current setup if there is a solution present.

Thanks for the help,

- Martin Walsh
Assistant Editor
Metro Productions



Re: Internet Explorer Web Development IE7 FTP Security Issue

mwalsh

*sigh* Not even an admin response





Re: Internet Explorer Web Development IE7 FTP Security Issue

The Fat Man

MS really screwed the pooch on this. I wonder who the genius was who decided that the hand full of people that use IE with FTP or serve FTP wouldn't mind replacing a very smooth experience with this cluster f.



Re: Internet Explorer Web Development IE7 FTP Security Issue

KedarH - MSFT

Martin,

I'd like to get some more information about your setup and see if the issue is a bug in the server, misconfiguration of the server, or bug in IE. I have sent you an email to the address listed in your profile. If the email address currently listed is not correct, please update it and post a reply to this thread; I'll send my email to your correct address.

-Kedar





Re: Internet Explorer Web Development IE7 FTP Security Issue

KMcConnell

Kedar, I can supply you with any information you need to know. I am also experiencing the same problem and wish to have it resolved as soon as possible. Our current ftp site is set up on server2000. With windows explorer we have no problem, but with IE7 all folders on the site are exposed with full control. I've even created another ftp site on Server2003 thinking this was a IIS problem but I get the same results. Feel free to contact me at buc_fan88@yahoo.com.



Re: Internet Explorer Web Development IE7 FTP Security Issue

KedarH - MSFT

KMcConnell,

I have sent you an email to the address you specified. Please respond to it at your convenience, so that we can investigate the possibility of a bug in this scenario.

-Kedar





Re: Internet Explorer Web Development IE7 FTP Security Issue

cyagcioglu

well, I am having the same problem. Hoping to get a result asap. thanks



Re: Internet Explorer Web Development IE7 FTP Security Issue

kwyatt1

This has been a real tragedy for me - virtual FTP users are dropping right into my FTP root when they use IE7. Untold client secrets are effortlessly revealed.

Fortunately, I've got a temporary workaround you might try...seems to work for me...

Change your default FTP ("home") directory in IIS to an empty folder somewhere. I called mine FTPRoot_Empty. Give people Read access, not Write. When it popped up asking if I wanted that to affect my several hosted sites, I selected none of them and just clicked OK.

Now logging into an ftp:// link in IE7 drops users into that empty directory. Then they can be instructed to use the Page | Open FTP site in Windows Explorer feature. When they're again prompted for their username/password, it opens to the virtual FTP directory appropriately, at least in my preliminary tests.

I'm a programmer, not a server guy, so if you're a guru, *please* let me know if I'm going to have some negative results from this change. I've not had time to test it like I'd like to.

Full credit goes to http://weblogs.asp.net/owscott/archive/2004/02/05/68423.aspx that gave me the idea.

MS, please, please get a fix for this. Who knows who can see what out there.






Re: Internet Explorer Web Development IE7 FTP Security Issue

EricLaw-MSFT

Let's be clear here: You're currently relying on security through obscurity. Anyone can use another FTP client or send their own custom FTP commands to do the same thing that IE7 is presently doing.

You should set your file system permissions such that unauthenticated users cannot view folders you don't want them to see.





Re: Internet Explorer Web Development IE7 FTP Security Issue

KedarH - MSFT

Mr. Yagcioglu,

I have sent an email to the address you've listed in your profile asking for additional information so we can check what's going on here.

-Kedar





Re: Internet Explorer Web Development IE7 FTP Security Issue

KedarH - MSFT

KedarH - MSFT wrote:

Mr. Yagcioglu,

I have sent an email to the address you've listed in your profile asking for additional information so we can check what's going on here.

-Kedar

Mr. Yagcioglu,

It appears that the email address you have listed is invalid. Please list a valid one and post a reply to this thread if you wish to communicate with me about this issue.

-Kedar





Re: Internet Explorer Web Development IE7 FTP Security Issue

kwyatt1

Eric,

I appreciate the reply, but in all of my testing, what that's not been the case for me. I've set up virtual FTP users for years. In IE6 and in FTP clients (I just tested one), those users would drop right into the folder I told it to put them into, and not be able to get to the FTP root.

Now, when a user logs in using IE7, that user automatically drops into my server's FTP root, and they can see the names of all of the subfolders there. That's a problem for me. And yes, they can see the folders even if I've removed the list permission from their user account for that folder.

My request for a fix is related to the fact that IE7 drops virtual FTP users into my FTP root instead of their assigned subfolder. I'll even admit that at the time, because I'd never needed it before, I hadn't removed all the permissions on the subfolders. Of course, no one could get to them anyway (unless I'm told otherwise). I figure there are others with that same problem. Admins need to know their FTP users will be "seeing up their skirts." Don't you agree

BTW, according to your post, the virtual FTP feature has always allowed any user using any FTP program other than IE7 to go up levels into the FTP root. In my experience that's not the case, and my FTP client test today didn't allow it...of course, maybe I just don't know how. Is that true for anyone else - could virtual FTP users get to your FTP root using an FTP client other than IE7






Re: Internet Explorer Web Development IE7 FTP Security Issue

KedarH - MSFT

Kenny,

Eric is correct in saying that using another FTP client, such as ftp.exe that comes bundled with Windows, or telnet, a user who has a username and password to your server can access any of the files on your FTP site. The fact that IE or Explorer used to drop users into their home directory and made it look like the root of the server is a client-side, convenience feature. This has always been the case.

As it turns out, Kenny, your particular issue is well-understood by our team and we have an active bug on it. I'll add your comments to the bug.

There are three things you should do: firstly, make sure the Windows ACLs on each user's folder allows only them to see into it. This way, although any user will be able to see the existence of other users' folders over FTP, they will not be able to see the contents. Secondly, look into a feature of IIS called "user isolation" or "isolation mode." I don't remember the details of how it works, but I seem to remember it is one way to get around this bug. Thirdly, I believe if you tell your users to open Explorer and do the navigation there, then they should get the old behavior. The bug only applies to IE, not Explorer.

Hope this helps

-Kedar





Re: Internet Explorer Web Development IE7 FTP Security Issue

tic01

Hi,

I'm also having this issue, could you inform me please of what transpired from this reported Bug. I've found reference to this problem all over the web but with no viable solution in sight. I would really appreciate some advise.

Thanks in advance

Tim