Penetration Testing mailing list archives
Re: [PEN-TEST] IIS File System Object
From: NA <root () CYPHERNAUT NET>
Date: Thu, 18 Jan 2001 16:17:49 -0800
I wrote a tool to browse,view,and download any file off of any drive, all I need to do i upload my asp file. This problem has been known for a while. ASP != HTML ;) ASP is a full fledged language. ----- Original Message ----- From: "Gay, Benjamin CA" <beng () ISFAX CO ZA> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Thursday, January 18, 2001 3:44 AM Subject: [PEN-TEST] IIS File System Object
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, I am looking at an IIS 4 web server. I have noticed that I can access the entire volume by writing a script using the File System Object. <Snip> '// Just a silly example strTheRootFolder = "D:\" Set oFolder = oFSO.GetFolder(strRootFolder) Set oFSO = Nothing For Each oSubFolder in oFolder.SubFolders Response.Write oSubFolder & "<BR>" Next </Snip> Is it possible to allow legitimate users access to there own "Home" folders and no where else? The reason I am confused is that my understanding is that "IIS_ANONYMOUS" or "whatever" service account is used. If you have multiple sites that require scripting you would be able to get there contents (i.e. all the different sites would have script permissions) Any one have any ideas on how to stop this? Thanks in advance for my probably trivial question :-) Benjamin -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOmbXFPujFM+/buMIEQLVEQCfQ9LgOfhsb4ZEHqXEVzlDD14bmv4AoLYj uCYRDEv6M5v2XlMgA3pIQMSC =bmBl -----END PGP SIGNATURE-----
Current thread:
- [PEN-TEST] IIS File System Object Gay, Benjamin CA (Jan 18)
- Re: [PEN-TEST] IIS File System Object NA (Jan 18)
- <Possible follow-ups>
- Re: [PEN-TEST] IIS File System Object Daniel Docekal (Jan 23)