Penetration Testing mailing list archives
Re: [PEN-TEST] IIS File System Object
From: Daniel Docekal <ddoc () MIA CZ>
Date: Fri, 19 Jan 2001 23:24:52 +0100
FileSystem Object is know for this particual security flaw and it is NOT recommended for any environment where numerous users can misuse it. Anybody who, for example, wants to use server hosting based on NT/W2K should deregister dll where FileSystemObject is - there are several replacements of FileSystemObject available (3rd party). This is also recommended and well documented in Microsoft white papers about securing web server installation Daniel
-----Original Message----- From: NA [mailto:root () CYPHERNAUT NET] Sent: Friday, January 19, 2001 1:18 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] IIS File System Object I wrote a tool to browse,view,and download any file off of any drive, all I need to do i upload my asp file. This problem has been known for a while. ASP != HTML ;) ASP is a full fledged language. ----- Original Message ----- From: "Gay, Benjamin CA" <beng () ISFAX CO ZA> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Thursday, January 18, 2001 3:44 AM Subject: [PEN-TEST] IIS File System Object-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, I am looking at an IIS 4 web server. I have noticed that Ican accessthe entire volume by writing a script using the File System Object. <Snip> '// Just a silly example strTheRootFolder = "D:\" Set oFolder = oFSO.GetFolder(strRootFolder) Set oFSO = Nothing For Each oSubFolder in oFolder.SubFolders Response.Write oSubFolder & "<BR>" Next </Snip> Is it possible to allow legitimate users access to there own "Home" folders and no where else? The reason I am confused is that my understanding is that "IIS_ANONYMOUS" or "whatever" service account is used. If you have multiple sites that require scripting you would be able to get there contents (i.e. all the different sites would have script permissions) Any one have any ideas on how to stop this? Thanks in advance for my probably trivial question :-) Benjamin -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOmbXFPujFM+/buMIEQLVEQCfQ9LgOfhsb4ZEHqXEVzlDD14bmv4AoLYj uCYRDEv6M5v2XlMgA3pIQMSC =bmBl -----END PGP SIGNATURE-----
Current thread:
- [PEN-TEST] IIS File System Object Gay, Benjamin CA (Jan 18)
- Re: [PEN-TEST] IIS File System Object NA (Jan 18)
- <Possible follow-ups>
- Re: [PEN-TEST] IIS File System Object Daniel Docekal (Jan 23)