03 Apr 2009 1 Comment
This is a little heads-up (and fix) of a security issue in MOSS web services for anonymous accessible sites.
I’ve tested a number of public MOSS sites and I only found one where I couldn’t access “…/_vti_bin/SiteData.asmx” (none mentioned none called out). Try it on your favorite MOSS site and you’ll most likely get the list of web method exposed by this webservice.
You can access all the other MOSS webservices as well.
This is not as big a security hole as you might think because the MOSS webservices will still respect the SharePoint permissions, so the anonymous evil internet hacker can probably not do anything that anonymous users are not allowed to. But he can probably access a whole lot more information than is available on your main site and are you really sure you secured it all properly? Do you really want people to access your webservices?
Specifically the SiteData.asmx webservice is bad story here. It’s used by the crawler to list all pages on the SharePoint site that have changed since last time it crawled. In other words it lists every page in your farm. It also lists secured and/or unpublished pages. You definitely do not want this. What about the title (not the actual content!) of your next stock announcement being available to the outside, before it’s published?
How to fix
I’ve messed a bit with the web.config file that is associated with the web services to disallow anonymous access by default. It’s just a few lines and then all web service calls requires authentication 🙂
The default web.config file lists 3 web services that are always allowed anonymous access; I suggest that you leave those unchanged.
If you have any additional web services that require anonymous access you can just add it to the list (after my additions).
So; change the web.config file in “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\ISAPI” on all your frontend servers to this:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <configuration> <system.web> <webServices> <protocols> <remove name="HttpGet" /> <remove name="HttpPost" /> <remove name="HttpPostLocalhost" /> <add name="Documentation" /> </protocols> </webServices> <customErrors mode="On"/> <!-- Søren Nielsen: 23-02-2009 disable anonymous access to webservices --> <authorization> <deny users="?"/> </authorization> </system.web> <location path="authentication.asmx"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location> <location path="wsdisco.aspx"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location> <location path="wswsdl.aspx"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location> </configuration>
- This is a farm wide setting so all your sites will be affected. Non anonymous sites are unchanged as this is similar to their default behaviour.
- You could copy this web.config file to all your servers (not just frontend) if you like. I don’t see any problems with this, however I’ve not tested it thoroughly enough to say for sure.
- If you add another frontend server be sure to deploy it there too.
- You could add this web.config file to a wsp file and deploy it through SharePoint, but in that case be careful when you retract it because SharePoint will then remove the file and no webservices will work across the entire farm.
- I suggest that you verify that the web.config file is still in place every time you apply a major upgrade/service pack