Bugtraq mailing list archives
I.I.S 3.0: Another slight security concern ?
From: daragh_malone () TELECOM IE (daragh_malone () TELECOM IE)
Date: Fri, 7 Mar 1997 11:37:12 GMT
It appears that any Active Server Page can create, read, write or overwrite any file on the system, regardless of security permissions. Here's how to recreate the situation. Share out the wwwroot directory to a user, or use InterDev and allow the user to login to the web. This I would imagine is all that you want the user to see. If this user creates an .asp page, and uses the Scripting.FileSystemObject, he has full control over any file on the machine. E.g. <% Set fsMad=CreateObject("Scripting.FileSystemObject") Set fileMad=fsMad.CreateTextFile("c:\winnt\mad.txt") fileMad.write("Here's a bit of a strange one") fileMad.close %> Neither the users account or the IUSR_machinename account have been granted the write to do this. It seems that the file is been manipulated by the SYSTEM account. This is probably by design, but I give it here as a warning that sharing out wwwroot is in effect sharing out the entire filesystem. Can this behaviour be prevented, as I want to have web authors on the machine, but to limit there ability to mess up outside wwwroot. Thanks, Daragh.
Current thread:
- Bug in connect() for aix 4.1.4 ? Cahya Wirawan (Mar 05)
- Re: Bug in connect() for aix 4.1.4 ? Steve Campbell (Mar 05)
- I.I.S and Security - No authentication of scripts. daragh_malone () TELECOM IE (Mar 05)
- Re: I.I.S and Security - No authentication of scripts. Greg Haverkamp (Mar 06)
- 4.4BSD NFS File Handles David Sacerdote (Mar 06)
- 4.4BSD NFS File Handles Aleph One (Mar 06)
- I.I.S 3.0: Another slight security concern ? daragh_malone () TELECOM IE (Mar 07)
- COLD FUSION BUG Bill Staples (Mar 07)
- Re: Bug in connect() for aix 4.1.4 ? Rikhardur Egilsson (Mar 05)
- Re: Bug in connect() for aix 4.1.4 ? Frank Hofmann (Mar 06)
- Re: Bug in connect() for aix 4.1.4 ? Ollivier Robert (Mar 06)
- Yet another Internet Explorer bug... Aleph One (Mar 06)
- I.I.S and Security - No authentication of scripts. daragh_malone () TELECOM IE (Mar 05)
- Re: Bug in connect() for aix 4.1.4 ? Steve Campbell (Mar 05)
- <Possible follow-ups>
- Re: Bug in connect() for aix 4.1.4 ? Steve Campbell (Mar 11)
- Re: Bug in connect() for aix 4.1.4 ? Valdis.Kletnieks () VT EDU (Mar 11)