[63] in Best-of-Security
BoS: I.I.S 3.0: Another slight security concern ?
daemon@ATHENA.MIT.EDU (daragh_malone@TELECOM.IE)
Fri Mar 7 19:22:18 1997
Date: Fri, 7 Mar 1997 11:37:12 GMT
Reply-To: daragh_malone@TELECOM.IE
From: daragh_malone@TELECOM.IE
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
It appears that any Active Server Page can create, read, write or
overwrite any file on the system, regardless of security permissions.
Here's how to recreate the situation.
Share out the wwwroot directory to a user, or use InterDev and
allow the user to login to the web. This I would imagine is all that
you want the user to see.
If this user creates an .asp page, and uses the
Scripting.FileSystemObject, he has full control over any file on the
machine.
E.g.
<%
Set fsMad=CreateObject("Scripting.FileSystemObject")
Set fileMad=fsMad.CreateTextFile("c:\winnt\mad.txt")
fileMad.write("Here's a bit of a strange one")
fileMad.close
%>
Neither the users account or the IUSR_machinename account have been
granted the write to do this. It seems that the file is been
manipulated by the SYSTEM account.
This is probably by design, but I give it here as a warning that
sharing out wwwroot is in effect sharing out the entire filesystem.
Can this behaviour be prevented, as I want to have web authors on the
machine, but to limit there ability to mess up outside wwwroot.
Thanks,
Daragh.