IIS Script source access permission and NTFS DACLs


"Script source access" permission in IIS allows users to see source code of
scripts. This is achieved by sending "translate: f" WebDAV header after GET

Here is an example you can try with telnet:

GET /login.asp HTTP/1.0
translate: f

If following conditions are met you should see the source code of the script
instead of its processed output.

1. WebDAV must be enabled. Because translate: f is a WebDAV header
2. Script source access must be checked
3. NTFS DACL of the login.asp must be IUSR_machinename:WRITE (if Anonymous
authentication is in place)

Is there anybody who knows why just READ right is not enough?

Omer Faruk Ozer
National Research Institute of Electronics and Cryptology
P.O. Box 74, 41470 Gebze, KOCAELI, TURKEY

Phone : +90 262 648 16 21
Fax : +90 262 648 11 00
e-mail : faruk.ozer@xxxxxxxxxxxxxxxxxxxx