Full Disclosure mailing list archives
RE: Frontpage Extensions Remote Command Execution
From: "mattmurphy () kc rr com" <mattmurphy () kc rr com>
Date: Wed, 12 Nov 2003 16:32:29 -0500
"Geo" <geoincidents () getinfo org> writes:
No it's not, IWAM is Web Applications MANAGER account you were thinking of IUSR perhaps? This is not guest. This account can change websites so in a multi host environment this level of access will allow a compromise of every website on the server.
You're flat out wrong on this point. I have IIS installed on the machine that I write from now (firewalled to LAN). IWAM is a GUEST. Guests are members of USERS. And if you read MSDN's documentation, out-of-process applications are *not* allowed metabase access in any way shape or form. The metabase file's permissions are restricted to Administrators only. Looking at the description of the IWAM_machinename account on my system, it is listed as the "Launch Process Account". IWAM has *no* privileges other than those explicitly granted to Guests, Users, or Everyone. The *only* way that a process running as IWAM can access the metabase is if an Administrator authenticates to IIS and it uses that user's account as its impersonation token. In any case, that is specific to the thread processing that request. -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Frontpage Extensions Remote Command Execution Brett Moore (Nov 12)
- RE: Frontpage Extensions Remote Command Execution Geo. (Nov 12)
- <Possible follow-ups>
- RE: Frontpage Extensions Remote Command Execution mattmurphy () kc rr com (Nov 12)
- RE: Frontpage Extensions Remote Command Execution Geo. (Nov 12)
- Re: Frontpage Extensions Remote Command Execution Damian Gerow (Nov 12)
- Re: Frontpage Extensions Remote Command Execution Paul Schmehl (Nov 12)
- Re: Frontpage Extensions Remote Command Execution Damian Gerow (Nov 12)
- Re: Frontpage Extensions Remote Command Execution Ricky Blaikie (Nov 12)
- RE: Frontpage Extensions Remote Command Execution mattmurphy () kc rr com (Nov 12)
- Re: Frontpage Extensions Remote Command Execution Geoincidents (Nov 12)
- RE: Frontpage Extensions Remote Command Execution Nick Jacobsen (Nov 12)
- Re[2]: Frontpage Extensions Remote Command Execution Adik (Nov 13)
- RE: Frontpage Extensions Remote Command Execution Marc Maiffret (Nov 13)