| Adam White 2004-10-18, 2:50 am |
| I guess the moral of the story is not to have different
sites share the same database.
Cheers
Adam
>-----Original Message-----
>Stefan:
>
>OK Here is where I am at.
>
>I have created 2 CMS Read Only web entiry sites with
their own unique IP
>addresses.
>
>In the first CMS Read Only site, I have set the security
so that it and its
>CMS virtual directories (cms and MCMS) are all set to
Windows Integrated
>Authenitcation.
>
>In the second CMS Read Only site, I have set the
security in IIS for the
>entire site, including its CMS virtual directores (CMS
and MCMS) to
>Anonymous.
>
>I then launch the SCA tool and enable Anonymous access
>
>Next, I set my Internet Explorer browser security
settings to anonymous and
>browse site 2.
>
>On site 2 the default posting has a link on it. So I
click the link and it
>shows up fine. Great! So far so good. I write down the
URL. Here it is.
>
>http://CMSRO1/NR/rdonlyres/9439791A-E758-4F38-8FEC-
9C29A082CF7C/0/Compileprojecterror.doc
>
>
>Now I'm a hacker and I change the ending part of the url
to a resource I
>know exists in the CACHE folder but it is part of the
other CMS Read
>onlysite's resource gallery.
>
>I change the url as follows:
>
>http://CMSRO1/NR/rdonlyres/2004M18i...b8libumvgiowxji
dvfsjamzgkxdweskfyr.pdf
>
>
>When I press enter the resource appears!!!
>
>How could this happen! I would have expected a 401 or
403 access denied
>error?
>
>Is it because the initial part of the url is still the
Anonymous Access site?
>
>SI their a way around this?
>
>I think that the isapi filter only comes into play when
you request a
>posting from a channel. The filter then authenticates
the user and gets the
>posting from the database and renders it into html--
including the links that
>point to the NR/RdOnlyRes folder.
>
>
>
>Please advise.
>
>Thanks
>
>Tom
>
>.
>
|