|
Home > Archive > IIS Server Security > August 2005 > ASPX form Uploads a file even without IIS Write permission
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
ASPX form Uploads a file even without IIS Write permission
|
|
|
| A customer have a IIS 6 web server and even with IIS Write property DISABLED,
an ASPX form can upload files to the server.
The authentication is Anon (via IUSR_ user) and the IUSR_User have RWXD
rights on the folder where the upload is stored.
In the properties of the IIS folder where upload is done, the Read
permission is set, but Write, SourceAccerss and Browse are disabled.
Why the upload works???
| |
| Christian Paparelli 2005-08-20, 2:53 am |
| "FB" <FB@discussions.microsoft.com> ha scritto nel messaggio
news:B9069C32-8121-42BD-A591-CF04B3EDE0E2@microsoft.com...
Hi
>A customer have a IIS 6 web server and even with IIS Write property
>DISABLED,
> an ASPX form can upload files to the server.
>
> The authentication is Anon (via IUSR_ user) and the IUSR_User have RWXD
> rights on the folder where the upload is stored.
>
> In the properties of the IIS folder where upload is done, the Read
> permission is set, but Write, SourceAccerss and Browse are disabled.
>
> Why the upload works???
It works because the anon user (IUSR_user) have write permission.
The write property on iis is requested for the PUT HTTP command but if you
make an upload via an aspx form you make a HTTP POST
--
Christian Paparelli
http://www.ithost.ch
| |
| David Wang [Msft] 2005-08-21, 7:48 am |
| By design due to how it is configured.
http://blogs.msdn.com/david.wang/ar...Permission.aspx
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"FB" <FB@discussions.microsoft.com> wrote in message
news:B9069C32-8121-42BD-A591-CF04B3EDE0E2@microsoft.com...
A customer have a IIS 6 web server and even with IIS Write property
DISABLED,
an ASPX form can upload files to the server.
The authentication is Anon (via IUSR_ user) and the IUSR_User have RWXD
rights on the folder where the upload is stored.
In the properties of the IIS folder where upload is done, the Read
permission is set, but Write, SourceAccerss and Browse are disabled.
Why the upload works???
| |
|
| Ok, tanks for the answer.
If i understood, even without Read IIS Access, ASP pages (and others
script-mapped extensions) runs, because the Run Scripts IIS permission is set
on...
Another related question: If Write IIS property does not protect against a
ASP Upload, what the purpose of the Write IIS property? In wich situation
will be usefull to uncheck the Write IIS Permission?
The problems related in this article comes from the fact that i´m worried
about the security configuration, of my customer, where the IUSR_ have RWXD
Rights on NTFS. Anyone can upload files to the server? Someone can use a http
client to upload files to my server without my knowledge?
All ASP pages have a mechanism (made by developers, in ASP, years ago) to
test if the user was authenticated on a Sybase Database and several other
pages checks security information on DBS and AS/400 databases. It is why the
IUSR have a wider right on the NTFS, all authentication requests are not
being manipulated by IIS. A malicious user can upload file to my server??
"David Wang [Msft]" wrote:
> By design due to how it is configured.
>
> http://blogs.msdn.com/david.wang/ar...Permission.aspx
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "FB" <FB@discussions.microsoft.com> wrote in message
> news:B9069C32-8121-42BD-A591-CF04B3EDE0E2@microsoft.com...
> A customer have a IIS 6 web server and even with IIS Write property
> DISABLED,
> an ASPX form can upload files to the server.
>
> The authentication is Anon (via IUSR_ user) and the IUSR_User have RWXD
> rights on the folder where the upload is stored.
>
> In the properties of the IIS folder where upload is done, the Read
> permission is set, but Write, SourceAccerss and Browse are disabled.
>
> Why the upload works???
>
>
>
| |
| David Wang [Msft] 2005-08-23, 9:02 pm |
| Basically, you have to understand that the "Write" Property in IIS does not
control whether files can be written to the server at all -- it only
controls standard HTTP "write" operations like PUT. In fact, ASPX form
Uploads are not standard HTTP as far as IIS is concerned -- it is custom
behavior controlled by other mechanisms.
I realize that you probably think HTTP uploads are the "write" permissions
that should be secured, and that PUT is something bizarre that you have no
idea of... but sorry, a bunch of W3C standards bodies are disagreeing with
you here. ;-)
Ok, when I talk about "you" in the following, I really mean your customer...
Your problems come from the fact that you are implementing your own custom
authentication/authorization scheme and pretty much disabled
NTFS/IIS/ASP.Net based authentication/authorization schemes. Thus, you are
solely responsible for making your custom configuration secure.
The basic concept in compuing is that you can only implement
authentication/authorization if you are part of the "trusted computing base"
(and by trusted, it means you can do anything). If your custom
authentication/authorization does not lock down everything and leaves the
gates wide-open for another system to take advantage of it, of course the
system will be insecure -- because of the failure of a member of the trusted
computing base. This sort of problem is an issue with the user design, and
not a security problem in IIS/Windows.
1. You have Anonymous authentication enabled and IUSR has RWXD on the
directories in question, meaning you have effectively disabled NTFS-based
security for everyone
2. IIS-based authorization relies on ACLs for file access and HTTP-based
concepts, so it is completely tangential to the issue of accepting HTTP
uploads via POST. IIS simply has no idea whether a given POST request is
writing to the filesystem or not -- it just knows a POST came and a blob of
code runs to handle it -- so custom security requires that piece of code to
implement authorization on when to write to the filesystem.
This means that if you have a post acceptor on your webserver which accepts
uploads without proper authentication/authorization, then yes, anyone can
upload and possibly execute files on your webserver without you knowing --
and the behavior is completely by design due to your configuration and is
not a flaw in IIS/Windows.
I'm sorry for my matter-of-fact tone, but generally:
1. People love writing/using custom authentication/authorization because it
is easier than Windows ACLs
2. However, custom authentication/authorization is harder to secure than
Windows
You're looking at a prime example...
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"FB" <FB@discussions.microsoft.com> wrote in message
news:BE8D5219-2A84-47F6-BFAC-07D6DB4B9CCC@microsoft.com...
Ok, tanks for the answer.
If i understood, even without Read IIS Access, ASP pages (and others
script-mapped extensions) runs, because the Run Scripts IIS permission is
set
on...
Another related question: If Write IIS property does not protect against a
ASP Upload, what the purpose of the Write IIS property? In wich situation
will be usefull to uncheck the Write IIS Permission?
The problems related in this article comes from the fact that i´m worried
about the security configuration, of my customer, where the IUSR_ have RWXD
Rights on NTFS. Anyone can upload files to the server? Someone can use a
http
client to upload files to my server without my knowledge?
All ASP pages have a mechanism (made by developers, in ASP, years ago) to
test if the user was authenticated on a Sybase Database and several other
pages checks security information on DBS and AS/400 databases. It is why the
IUSR have a wider right on the NTFS, all authentication requests are not
being manipulated by IIS. A malicious user can upload file to my server??
"David Wang [Msft]" wrote:
> By design due to how it is configured.
>
>
http://blogs.msdn.com/david.wang/ar...Permission.aspx
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "FB" <FB@discussions.microsoft.com> wrote in message
> news:B9069C32-8121-42BD-A591-CF04B3EDE0E2@microsoft.com...
> A customer have a IIS 6 web server and even with IIS Write property
> DISABLED,
> an ASPX form can upload files to the server.
>
> The authentication is Anon (via IUSR_ user) and the IUSR_User have RWXD
> rights on the folder where the upload is stored.
>
> In the properties of the IIS folder where upload is done, the Read
> permission is set, but Write, SourceAccerss and Browse are disabled.
>
> Why the upload works???
>
>
>
| |
| KayZer Soze 2005-08-25, 6:04 pm |
| A sad event: When i asked the developer about the web.config and
machine.config files, the answer was: "What is it?"
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OwlOPjEqFHA.3304@TK2MSFTNGP11.phx.gbl...
> Basically, you have to understand that the "Write" Property in IIS does
not
> control whether files can be written to the server at all -- it only
> controls standard HTTP "write" operations like PUT. In fact, ASPX form
> Uploads are not standard HTTP as far as IIS is concerned -- it is custom
> behavior controlled by other mechanisms.
>
> I realize that you probably think HTTP uploads are the "write" permissions
> that should be secured, and that PUT is something bizarre that you have no
> idea of... but sorry, a bunch of W3C standards bodies are disagreeing with
> you here. ;-)
>
>
> Ok, when I talk about "you" in the following, I really mean your
customer...
>
> Your problems come from the fact that you are implementing your own custom
> authentication/authorization scheme and pretty much disabled
> NTFS/IIS/ASP.Net based authentication/authorization schemes. Thus, you are
> solely responsible for making your custom configuration secure.
>
> The basic concept in compuing is that you can only implement
> authentication/authorization if you are part of the "trusted computing
base"
> (and by trusted, it means you can do anything). If your custom
> authentication/authorization does not lock down everything and leaves the
> gates wide-open for another system to take advantage of it, of course the
> system will be insecure -- because of the failure of a member of the
trusted
> computing base. This sort of problem is an issue with the user design, and
> not a security problem in IIS/Windows.
> 1. You have Anonymous authentication enabled and IUSR has RWXD on the
> directories in question, meaning you have effectively disabled NTFS-based
> security for everyone
> 2. IIS-based authorization relies on ACLs for file access and HTTP-based
> concepts, so it is completely tangential to the issue of accepting HTTP
> uploads via POST. IIS simply has no idea whether a given POST request is
> writing to the filesystem or not -- it just knows a POST came and a blob
of
> code runs to handle it -- so custom security requires that piece of code
to
> implement authorization on when to write to the filesystem.
>
> This means that if you have a post acceptor on your webserver which
accepts
> uploads without proper authentication/authorization, then yes, anyone can
> upload and possibly execute files on your webserver without you knowing --
> and the behavior is completely by design due to your configuration and is
> not a flaw in IIS/Windows.
>
> I'm sorry for my matter-of-fact tone, but generally:
> 1. People love writing/using custom authentication/authorization because
it
> is easier than Windows ACLs
> 2. However, custom authentication/authorization is harder to secure than
> Windows
>
> You're looking at a prime example...
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "FB" <FB@discussions.microsoft.com> wrote in message
> news:BE8D5219-2A84-47F6-BFAC-07D6DB4B9CCC@microsoft.com...
> Ok, tanks for the answer.
>
> If i understood, even without Read IIS Access, ASP pages (and others
> script-mapped extensions) runs, because the Run Scripts IIS permission is
> set
> on...
>
> Another related question: If Write IIS property does not protect against a
> ASP Upload, what the purpose of the Write IIS property? In wich situation
> will be usefull to uncheck the Write IIS Permission?
>
> The problems related in this article comes from the fact that i´m worried
> about the security configuration, of my customer, where the IUSR_ have
RWXD
> Rights on NTFS. Anyone can upload files to the server? Someone can use a
> http
> client to upload files to my server without my knowledge?
>
> All ASP pages have a mechanism (made by developers, in ASP, years ago) to
> test if the user was authenticated on a Sybase Database and several other
> pages checks security information on DBS and AS/400 databases. It is why
the
> IUSR have a wider right on the NTFS, all authentication requests are not
> being manipulated by IIS. A malicious user can upload file to my server??
>
> "David Wang [Msft]" wrote:
>
>
http://blogs.msdn.com/david.wang/ar...Permission.aspx
> rights.
>
>
|
|
|
|
|