IUSER and Write Access Problem

TheMSsForum.com: The Microsoft Software Forum

I am having an argument with someone right now about permissions and the
anonymous IUSER. This person has insisted that I give the IUSER write
permissions to a web site he is developing so that he can get his ASP code
to work. I have compromised by creating a subdirectory for him. My ideal
setup would be to have his ASP pages in the root of the web, and then have
those pages use this sub-directory to create and write these temporary data
files he needs. Instead of modifying his code he has simply moved all of
his ASP pages into that subdirectory to run.

I want to prove to my manager that this is bad and that our developer needs
to secure his code.

Anybody know of a good exploit I can demo? How can I write a file to this
web site as if I were an anonymous user? Can I simply rename his ASP files
as the IUSER and prove that I can take down the site?

Any advice would be appreciated, thanks.
Top

Re: IUSER and Write Access Problem by Ken

Ken
Thu Feb 03 19:05:51 CST 2005

Please see response in iis.security.

In future, if you need to post to multiple groups, please place all the
group names in the To: field, and everyone will then be able to see all
responses in all groups.

Cheers
Ken

"ShootMePlease" <nospam@nospam.org> wrote in message
news:OpR4b$jCFHA.3328@TK2MSFTNGP14.phx.gbl...
>I am having an argument with someone right now about permissions and the
> anonymous IUSER. This person has insisted that I give the IUSER write
> permissions to a web site he is developing so that he can get his ASP code
> to work. I have compromised by creating a subdirectory for him. My ideal
> setup would be to have his ASP pages in the root of the web, and then have
> those pages use this sub-directory to create and write these temporary
> data
> files he needs. Instead of modifying his code he has simply moved all of
> his ASP pages into that subdirectory to run.
>
> I want to prove to my manager that this is bad and that our developer
> needs
> to secure his code.
>
> Anybody know of a good exploit I can demo? How can I write a file to this
> web site as if I were an anonymous user? Can I simply rename his ASP
> files
> as the IUSER and prove that I can take down the site?
>
> Any advice would be appreciated, thanks.
>


Top

Re: IUSER and Write Access Problem by Kristofer

Kristofer
Sat Feb 05 03:43:44 CST 2005

Hi,

I'm quoting from the "Shared Web Hosting Development Guide"[1], the
"Access Control Best Practices" section:

"Never allow anonymous user (IUSR) Write permission"

Ken explains why in the iis.security newsgroup.

[1]: You can download it from here:
http://www.microsoft.com/serviceproviders/webhosting/default.asp

You need a .NET Passport to sign in (don't ask me why you need to
register...)

--
Regards,
Kristofer Gafvert
www.gafvert.info - My Articles and help
www.ilopia.com


ShootMePlease wrote:

> I am having an argument with someone right now about permissions and the
> anonymous IUSER. This person has insisted that I give the IUSER write
> permissions to a web site he is developing so that he can get his ASP
code
> to work. I have compromised by creating a subdirectory for him. My
ideal
> setup would be to have his ASP pages in the root of the web, and then
have
> those pages use this sub-directory to create and write these temporary
data
> files he needs. Instead of modifying his code he has simply moved all of
> his ASP pages into that subdirectory to run.
>
> I want to prove to my manager that this is bad and that our developer
needs
> to secure his code.
>
> Anybody know of a good exploit I can demo? How can I write a file to
this
> web site as if I were an anonymous user? Can I simply rename his ASP
files
> as the IUSER and prove that I can take down the site?
>
> Any advice would be appreciated, thanks.
Top