mailing list archives
[PEN-TEST] IIS File System Object
From: "Gay, Benjamin CA" <beng () ISFAX CO ZA>
Date: Thu, 18 Jan 2001 13:44:20 +0200
-----BEGIN PGP SIGNED MESSAGE-----
I am looking at an IIS 4 web server. I have noticed that I can access
the entire volume by writing a script using the File System Object.
'// Just a silly example
strTheRootFolder = "D:\"
Set oFolder = oFSO.GetFolder(strRootFolder)
Set oFSO = Nothing
For Each oSubFolder in oFolder.SubFolders
Response.Write oSubFolder & "<BR>"
Is it possible to allow legitimate users access to there own "Home"
folders and no where else? The reason I am confused is that my
understanding is that "IIS_ANONYMOUS" or "whatever" service account
is used. If you have multiple sites that require scripting you would
be able to get there contents (i.e. all the different sites would
have script permissions)
Any one have any ideas on how to stop this?
Thanks in advance for my probably trivial question :-)
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
-----END PGP SIGNATURE-----
- [PEN-TEST] IIS File System Object Gay, Benjamin CA (Jan 18)