|
Home > Archive > IIS Server Security > January 2007 > Root Directory and Write Permissions
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Root Directory and Write Permissions
|
|
| iporter 2007-01-31, 1:17 pm |
| I'm vaguely aware that for security reasons, you shouldn't set write
permissions to your root web directory. However, I have a ASP-based
CMS that is designed to write html files and folders to the root
directory.
What are the risks?
Thanks,
Iain
| |
| David Wang 2007-01-31, 7:19 pm |
| At minimum, it means the user identity which the ASP page runs as has
ability to write files to a directory that is web accessible.
If that directory is also allowed to execute code, it means that a
remote user can write and execute arbitrary code from that directory.
And depending on the user identity configured to execute requests in
specific directories, a remote user can now write and execute
arbitrary code of his choosing with potentially elevated user
privileges.
This is one simple way to be vulnerable to elevation of privilege
attack. Amongst many others.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Jan 31, 9:19 am, "iporter" <ispor...@gmail.com> wrote:
> I'm vaguely aware that for security reasons, you shouldn't set write
> permissions to your root web directory. However, I have a ASP-based
> CMS that is designed to write html files and folders to the root
> directory.
>
> What are the risks?
>
> Thanks,
> Iain
|
|
|
|
|