|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Using FSO in ASP to view just about anything
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: Using FSO in ASP to view just about anything
- From: Joel Maslak <jmaslakWIND-RIVER.COM>
- Date: Thu, 11 Feb 1999 16:25:46 -0700
- Approved-By: Russ.CooperRC.ON.CA
- In-Reply-To: <001901be560f$148dfb60$1033f2d0heineken>
- Reply-To: Joel Maslak <jmaslakWIND-RIVER.COM>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
At 05:37 p.m. 11/02/99 -0500, you wrote:
>This active server page opens the FileSystemObject and streams the contents
>of the file specified in the "file" parameter. The problem with FSO is that
>you can go 'outside' of the "\InetPub\wwwRoot\" directory using "../".
Yes, this is a fairly well known bug.
Solution? NTFS permissions. Simply run each virtual web as a different
user, and make sure that user can't view each other's virtual webs, but
only it's own virtual web. This feature is actually quite useful when you
need to "break out of the mold" of traditional design.
One thing that should be noted is ANY ActiveX server can be executed by a
user, by simply doing a server.CreateObject in the ASP file. Obviously,
the security ramifications of this can be quite severe. You can open up MS
Outlook, and using the mail object, send mail. Neat feature for some
people, but scarry if you look at some the other interfaces in some of your
applications (think attachments!)... Do your users really have a
legitimate purpose in starting up, say, Word (never tried this, but I bet
it would work). This is a much bigger issue. An example of this use is at:
http://www.swynk.com/friends/datema/excelface.asp
It would be nice to have a way of limiting what objects can be created by
server.CreateObject (yes, I realize this is probably a big modification).
In addition to this feature, how about...
<!-- #include file="..\ANYDIR\ANYFILE.DAT" -->
You might be able to get access to any file stored on the server w/o
sufficient permissions (think credit card orders).
Joel Maslak
UPDATE -- Generate Web Traffic
http://www.permission-marketing.com/
- References:
- Using FSO in ASP to view just about anything
- From: Gary Geisbert <garyNEWSLETTERS.COM>
- From: Gary Geisbert <gary
- Using FSO in ASP to view just about anything
- Prev by Date: Using FSO in ASP to view just about anything
- Next by Date: NT AT Scheduler vs IE Task Scheduler
- Prev by thread: Using FSO in ASP to view just about anything
- Next by thread: Re: Using FSO in ASP to view just about anything
- Index(es):