OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Daniel Docekal (ddocMIA.CZ)
Date: Fri Jan 19 2001 - 16:24:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    FileSystem Object is know for this particual security flaw and it is NOT
    recommended for any environment where numerous users can misuse it. Anybody
    who, for example, wants to use server hosting based on NT/W2K should
    deregister dll where FileSystemObject is - there are several replacements of
    FileSystemObject available (3rd party). This is also recommended and well
    documented in Microsoft white papers about securing web server installation

    Daniel

    > -----Original Message-----
    > From: NA [mailto:rootCYPHERNAUT.NET]
    > Sent: Friday, January 19, 2001 1:18 AM
    > To: PEN-TESTSECURITYFOCUS.COM
    > Subject: Re: [PEN-TEST] IIS File System Object
    >
    >
    > I wrote a tool to browse,view,and download any file off of
    > any drive, all I
    > need to do i
    > upload my asp file.
    >
    > This problem has been known for a while.
    >
    > ASP != HTML ;)
    >
    > ASP is a full fledged language.
    >
    > ----- Original Message -----
    > From: "Gay, Benjamin CA" <bengISFAX.CO.ZA>
    > To: <PEN-TESTSECURITYFOCUS.COM>
    > Sent: Thursday, January 18, 2001 3:44 AM
    > Subject: [PEN-TEST] IIS File System Object
    >
    >
    > > -----BEGIN PGP SIGNED MESSAGE-----
    > > Hash: SHA1
    > >
    > > Hi All,
    > >
    > > I am looking at an IIS 4 web server. I have noticed that I
    > can access
    > > the entire volume by writing a script using the File System Object.
    > >
    > > <Snip>
    > > '// Just a silly example
    > > strTheRootFolder = "D:\"
    > > Set oFolder = oFSO.GetFolder(strRootFolder)
    > > Set oFSO = Nothing
    > >
    > > For Each oSubFolder in oFolder.SubFolders
    > > Response.Write oSubFolder & "<BR>"
    > > Next
    > > </Snip>
    > >
    > > Is it possible to allow legitimate users access to there own "Home"
    > > folders and no where else? The reason I am confused is that my
    > > understanding is that "IIS_ANONYMOUS" or "whatever" service account
    > > is used. If you have multiple sites that require scripting you would
    > > be able to get there contents (i.e. all the different sites would
    > > have script permissions)
    > >
    > > Any one have any ideas on how to stop this?
    > >
    > > Thanks in advance for my probably trivial question :-)
    > >
    > > Benjamin
    > >
    > > -----BEGIN PGP SIGNATURE-----
    > > Version: PGP 7.0
    > >
    > > iQA/AwUBOmbXFPujFM+/buMIEQLVEQCfQ9LgOfhsb4ZEHqXEVzlDD14bmv4AoLYj
    > > uCYRDEv6M5v2XlMgA3pIQMSC
    > > =bmBl
    > > -----END PGP SIGNATURE-----
    > >
    >