Penetration Testing mailing list archives

Re: [PEN-TEST] IIS File System Object

From: Daniel Docekal <ddoc () MIA CZ>
Date: Fri, 19 Jan 2001 23:24:52 +0100

FileSystem Object is know for this particual security flaw and it is NOT
recommended for any environment where numerous users can misuse it. Anybody
who, for example, wants to use server hosting based on NT/W2K should
deregister dll where FileSystemObject is - there are several replacements of
FileSystemObject available (3rd party). This is also recommended and well
documented in Microsoft white papers about securing web server installation

Daniel

-----Original Message-----
From: NA [mailto:root () CYPHERNAUT NET]
Sent: Friday, January 19, 2001 1:18 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] IIS File System Object

I wrote a tool to browse,view,and download any file off of
any drive, all I
need to do i
upload my asp file.

This problem has been known for a while.

ASP != HTML ;)

ASP is a full fledged language.

----- Original Message -----
From: "Gay, Benjamin CA" <beng () ISFAX CO ZA>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Thursday, January 18, 2001 3:44 AM
Subject: [PEN-TEST] IIS File System Object

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

I am looking at an IIS 4 web server. I have noticed that I

can access

the entire volume by writing a script using the File System Object.

<Snip>
 '// Just a silly example
 strTheRootFolder = "D:\"
 Set oFolder = oFSO.GetFolder(strRootFolder)
 Set oFSO = Nothing

 For Each oSubFolder in oFolder.SubFolders
  Response.Write oSubFolder & "<BR>"
 Next
</Snip>

Is it possible to allow legitimate users access to there own "Home"
folders and no where else? The reason I am confused is that my
understanding is that "IIS_ANONYMOUS" or "whatever" service account
is used. If you have multiple sites that require scripting you would
be able to get there contents (i.e. all the different sites would
have script permissions)

Any one have any ideas on how to stop this?

Thanks in advance for my probably trivial question :-)

Benjamin

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOmbXFPujFM+/buMIEQLVEQCfQ9LgOfhsb4ZEHqXEVzlDD14bmv4AoLYj
uCYRDEv6M5v2XlMgA3pIQMSC
=bmBl
-----END PGP SIGNATURE-----

Current thread:

[PEN-TEST] IIS File System Object Gay, Benjamin CA (Jan 18)
- Re: [PEN-TEST] IIS File System Object NA (Jan 18)
- <Possible follow-ups>
- Re: [PEN-TEST] IIS File System Object Daniel Docekal (Jan 23)