Re: IIS Security Question

From: Sid (sidskiba_at_telus.net)
Date: 10/05/04 

Date: Mon, 4 Oct 2004 21:03:26 -0700

That is good news.

I intend to scrub the user input to avoid the problem you
mention. I am also planning to limit the access to
trusted users.

Did you have a specific example? I assume you are
referring to SQL injection or some sort of malformed
input that changes the operation of the ASP code in some
way? I hope to protect from that problem.

Regards,

Sid
>-----Original Message-----
>that folder would only be accessible via the upload
script. the only thing
>I'd be worrying about above and beyond the usual is to
make sure that the
>script can't be misused, such as a malicious user
supplying input which may
>cause it to behave in a way you didn't design it for -
such as saving to
>another folder, or uploading an ASP script to a folder
which they can
>subsequently access via HTTP
>
>
>--
>Jason Brown
>Microsoft GTSC, IIS
>
>This posting is provided "AS IS" with no warranties, and
confers no
>rights.
>
>
>"Sid" <sidskiba@telus.net> wrote in message
>news:320b01c4aa8a$13194b10$a301280a@phx.gbl...
>>I have sort of a general question about file uploading.
>> IIS 5.1
>>
>> I have a web site at c:\inetpub\wwwroot\
>>
>> I also have a directory at c:\images\ (not in the
wwwroot
>> nor a virtual folder)
>>
>> I have read/write/modify on c:\images\ for IUSR
account.
>>
>> Only Read/Execute on wwwroot
>>
>> I am looking to use a script to allow image uploads on
a
>> password secure ASP page to the images directory.
>>
>> I have a question about general security of this though
>> and am not bright enough to test this. Can someone who
>> knows there is a directory c:\images\ use an HTTP
command
>> or some other method to put files into that directory
>> without even having access to the upload script? Like a
>> PUT or PUSH of some sort?
>>
>> Or is the directory safe as it is out of the wwwroot
and
>> is not a virtual directory?
>
>
>.
>

Relevant Pages

  • IIS 6 shell
    ... The server is Running Windows Server 2003 and IIS 6 fully patched, ... in the application we have an upload form to upload pictures to the ... javascript support is also poor and the script did not run properly ... (except asp!) ...
    (Pen-Test)
  • Re: IIS Security Question
    ... that folder would only be accessible via the upload script. ... > Only Read/Execute on wwwroot ...
    (microsoft.public.inetserver.iis.security)
  • Re: Newbie: error loading Hello World
    ... I've been developing an ASP 2.0 app locally. ... upload to a web hosting company, ... with the web hosting company before and this is my first ASP venture. ... Do they belong in some special folder (there is a bin ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: IIS Security Question
    ... upload script with this sort of vulnerability once. ... I assume you are> referring to SQL injection or some sort of malformed> input that changes the operation of the ASP code in some> way? ... >>that folder would only be accessible via the upload> script. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Using PHP to create folders on web space and upload files?
    ... I use a web-based database which has online forms that users can use to submit data directly into the database. ... The only problem is that there is no way for them to upload files with each of these application forms, but I require them to upload around 7 documents with each form, so I'm currently looking for workaround to this issue. ... Therefore, it would be ideal if this form could not only upload files to my web space, but also create a folder which is named ... The ability to be able to view what has already been uploaded into each folder would also be very useful, as would the intelligence of the script to check if the folder is create, then if not, create it; or if it is there, simply upload the files into it. ...
    (comp.lang.php)