SurfControl Web Filter for Microsoft ISA Server Vulnerability





Package:		SurfControl Web Filter for Microsoft ISA

Vendor Web Site:	http://www.surfcontrol.com

Version: 		4.2.0.21

Platforms: 		Windows 2000 Server		

Local:			No

Remote: 		Yes

Fix Available:		No (recommended steps listed below)

Vendor Contacted: 	Sunday, June 08, 2003 

Advisory Author:	Thomas Adams (tgadams@bellsouth.net)







Background:

SurfControl Web Filter is a url filtering system, designed to be easily 

deployed onto most networks. SurfControl for Microsoft ISA is a plugin 

the allows the Microsoft ISA server to have more control over the 

internet usage. The plugin still allows most of the same benefits from 

the stand alone product including: customizable reporting, easy admin 

interface, and the remote interface for report retrieval.





Exploit:

An attacker is able to view/download any file from the server using a 

directory traversal attack:



http://isa-surfserver:8888/.../.../.../.../winnt/ 





Vendor Response:

SurfControl team was notified concerning the above vulnerability. 

SurfControl had previous knowledge that this existed on the stand alone 

SurfControl platforms, but did not know it existed on the plugin for 

Microsoft ISA. They recommended disabling the reports server and said it 

is turned on by default for "convenience to users."  Convenience before 

security from a leader in filter products? 



To disable the report server, go to Admin Tools> Services> and stop 

SurfControl Web Filter Report Server