Bugtraq mailing list archives
Everyone writable IIS root directory
From: n-miwa () LAC CO JP (Nobuo Miwa)
Date: Fri, 24 Sep 1999 09:17:24 +0900
Hi, We(JWNTUG(Japan Windows NT Users Group) Security Working Group) reported MS about a kind of DoS problem on mailroot and ftproot directories of IIS. Those directories(C:\Inetpub\ftproot,\mailroot) are readable and writable for everyone. So we tested following script as C:\inetpub\mailroot\fill.bat :fill copy drop\*.* pickup goto fill This script can be executed by any user and hard disk will be filled with emails soon after some emails come into "drop" directory. We tested also from Terminal Server. It works well. In addition, any user can read and write email in drop folder. We reported MS and they replied as followings.. You're right -- those permissions shouldbe tightened. We're going to add this to the IIS Security Checklist at http://www.microsoft.com/security/products/iis/CheckList.asp, to make sure that customers know that they need to do this. Thanks again for reporting the issue! Regards, Secure () microsoft com ---------------------------------------------------------------- Nobuo Miwa A member of JWNTUG Security Working Group http://www.jwntug.or.jp Special thanks to Hideaki Ihara<ihara () port139 co jp> YOKOYAMA Tetsuya <Yokoyama.Tetsuya () GlobalKnowledge Co JP>
Current thread:
- Everyone writable IIS root directory Nobuo Miwa (Sep 23)