Re: CmdAsp.asp - What's your exposure?

[Maceo <maceo () DOGMILE COM>]

 What I failed to mention is that because of the broken way IIS
 impersonates accounts the cmd process will run as IWAM_COMPUTER
 or SYSTEM.  In IIS 4.0 it depends upon whether or not you have
 chosen to "run in separate memory space" option or not.  In
 IIS 5.0 it's the difference between Application Protection "Low"
 and Medium or High.  This is significant because, developers may
 not be aware they are executing code as SYSTEM, just because they
 spawned a shell.

   -Maceo