Penetration Testing mailing list archives

[PEN-TEST] IIS File System Object

From: "Gay, Benjamin CA" <beng () ISFAX CO ZA>
Date: Thu, 18 Jan 2001 13:44:20 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

I am looking at an IIS 4 web server. I have noticed that I can access
the entire volume by writing a script using the File System Object.

<Snip>
 '// Just a silly example
 strTheRootFolder = "D:\"       
 Set oFolder = oFSO.GetFolder(strRootFolder)
 Set oFSO = Nothing

 For Each oSubFolder in oFolder.SubFolders
  Response.Write oSubFolder & "<BR>"
 Next
</Snip>

Is it possible to allow legitimate users access to there own "Home"
folders and no where else? The reason I am confused is that my
understanding is that "IIS_ANONYMOUS" or "whatever" service account
is used. If you have multiple sites that require scripting you would
be able to get there contents (i.e. all the different sites would
have script permissions)

Any one have any ideas on how to stop this?

Thanks in advance for my probably trivial question :-)

Benjamin

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOmbXFPujFM+/buMIEQLVEQCfQ9LgOfhsb4ZEHqXEVzlDD14bmv4AoLYj
uCYRDEv6M5v2XlMgA3pIQMSC
=bmBl
-----END PGP SIGNATURE-----

Current thread:

[PEN-TEST] IIS File System Object Gay, Benjamin CA (Jan 18)
- Re: [PEN-TEST] IIS File System Object NA (Jan 18)
- <Possible follow-ups>
- Re: [PEN-TEST] IIS File System Object Daniel Docekal (Jan 23)