Re: I.I.S and Security - No authentication of scripts.

[gregh () INSTINCTIVE COM (Greg Haverkamp)]

Well, I just spent the better part of today looking at this.  Fortunately,
I came in late.  :)

At 04:44 PM 3/5/97 GMT, you wrote:
>     This may have be mentioned on the BUGTRAQ mailing list, but I couldn't
>     find it. The information is supplied as quoted by Chris Borneman.
>     I've had some problems trying to verify this on the DEC Alpha version
>     of I.I.S 3.0

I've not seen it before.  I've been able to replicate this under
circumstances certain circumstances.  I feel comfortable that I've isolated
a some relatively obscure cases when this will happen.

Incidentally, I'm running Peer Web Services with Active Server Pages.  So,
I'm not an exact match, but I'm pretty close.

>     --------------------------------------------------------------------
>
>     When securing your site based on membership (who you are, not where
>     you are located), IIS turns to NTFS and the security access associated
>     with the file.  For instance, in IIS you have the ability to say
>     "Allow Anonymous". This is used in conjuction with the "Anonymous
>     Logon".  The reason is simple, and file that can be accessed by the
>     account specified in "Anonymous Logon" can be accessed by any Web user
>     hitting your site.

[...]

>     If the credentials match the access to the file in question, the file
>     is sent.  Try this for yourself.  Create a directory under your
>     wwwroot and use the NT Explorer to revoke rights on that directory and
>     any subdirectory and only allow the SYSTEM and your specific account
>     access (make sure it isn't the IUSR_machine_name account.  Place an
>     htm file in that directory, then access from Internet Explorer.
>     You'll be asked to give your user name and password (assuming you
>     allow Basic Authentication and turn off Windows NT
>     Challenge/Response).

Yup.  This works.  Just as I would expect it to.

>     However, if you do the same for a script, IIS still _executes_ it and
>     sends back the results.  This isn't an issue of "Read" vs. "Execute".
>     The script isn't readable.  The directory I'm dealing with has "Read"
>     off and "Execute" on.  However, the script also shouldn't be
>     accessible or ran until I provide my credentials, and that is the
>     SECURITY HOLE.  Netscape's Server does this _correctly_, so why not
>     Microsoft?

If I look at the HTML file, go back to Internet Service Manager and change
permissions to Execute only, and then go to execute, I will not be
prompted.  My username and password are cached as expected.

Kill Internet Explorer.  Start it back up.  Point it to
http://mymachine/passtest/passtest.exe, and I am prompted for a username
and password.  Enter it, and the script runs.

If the file I am accessing is of a certain type (.exe, .asp, or .pl) I have
no problem.  When I try .plx (for the PerlIS.dll), the script will never be
executed.

>     IIS is supposed to access _every_ file within the thread context of
>     either anonymous, or the specific Web user.  IIS does this for all
>     non-script files.  However, it does not for script files.

Unless this is very specific to IIS (i.e., doesn't work with Peer Web
Services w/ASP), this does not appear to be a reproducible problem.

If anyone else is trying this, be absolutely certain you close IE after
looking at static pages.

Greg