|
Home > Archive > IIS Server Security > February 2005 > IUSER and write permissions
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IUSER and write permissions
|
|
| ShootMePlease 2005-02-03, 5:52 pm |
| I am having an argument with someone right now about permissions and the
anonymous IUSER. This person has insisted that I give the IUSER write
permissions to a web site he is developing so that he can get his ASP code
to work. I have compromised by creating a subdirectory for him. My ideal
setup would be to have his ASP pages in the root of the web, and then have
those pages use this sub-directory to create and write these temporary data
files he needs. Instead of modifying his code he has simply moved all of
his ASP pages into that subdirectory.
I want to prove to my manager that this is bad and that our developer needs
to secure his code.
Anybody know of a good exploit I can demo? How can I write a file to this
web site as if I were an anonymous user? Can I simply rename his ASP files
as the IUSER and prove that I can take down the site?
Any advice would be appreciated, thanks.
| |
| Ken Schaefer 2005-02-03, 8:48 pm |
| Why does the subfolder need to be in the webroot? Why don't you just put the
subfolder outside the webroot? Then he can't put the ASP pages in that
folder because they are not web accessible.
Write permissions are bad - it means that if there's even the slightest
coding flaw on the part of this developer, someone could rewrite your ASP
pages themselves, eg rewrite your homepage so that it now says something
completely different.
ASP pages themselves do not need write permissions, only NTFS Read
permissions. Other things may need write permissions, but you should
probably get the developer to tell you why he needs write permissions for
those things.
Cheers
Ken
"ShootMePlease" <nospam@nospam.org> wrote in message
news:e%23U%233%23iCFHA.3924@TK2MSFTNGP15.phx.gbl...
>I am having an argument with someone right now about permissions and the
>anonymous IUSER. This person has insisted that I give the IUSER write
>permissions to a web site he is developing so that he can get his ASP code
>to work. I have compromised by creating a subdirectory for him. My ideal
>setup would be to have his ASP pages in the root of the web, and then have
>those pages use this sub-directory to create and write these temporary data
>files he needs. Instead of modifying his code he has simply moved all of
>his ASP pages into that subdirectory.
>
> I want to prove to my manager that this is bad and that our developer
> needs to secure his code.
>
> Anybody know of a good exploit I can demo? How can I write a file to this
> web site as if I were an anonymous user? Can I simply rename his ASP
> files as the IUSER and prove that I can take down the site?
>
> Any advice would be appreciated, thanks.
>
|
|
|
|
|