Re: IIS Security Question
From: Jason Brown [MSFT] (i-brjaso_at_online.microsoft.com)
Date: 10/05/04
- Next message: Jason Brown [MSFT]: "Re: how do I change security to get ActiveX?"
- Previous message: sue: "how do I change security to get ActiveX?"
- In reply to: Sid: "Re: IIS Security Question"
- Next in thread: gg: "Re: IIS Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 5 Oct 2004 14:27:10 +1000
Yes, what I alluded to is similar to SQL injection in concept. let's say
your script took an input which specified which folder the file was going
to, a malicious user could possibly send a file which would overwrite a
system file (not likely in most scenarios) or an ASP file which could be
accessed remotely and carry out nefarious operations. Usually they wouldn't
be able to jump out of the context of the guest account, limiting problems,
but it pays to make things as safe as possible.
as long as nothing like this exists, you'll be OK. I've only ever seen an
upload script with this sort of vulnerability once.
-- Jason Brown Microsoft GTSC, IIS This posting is provided "AS IS" with no warranties, and confers no rights. "Sid" <sidskiba@telus.net> wrote in message news:044301c4aa90$43f552a0$a601280a@phx.gbl... > That is good news. > > I intend to scrub the user input to avoid the problem you > mention. I am also planning to limit the access to > trusted users. > > Did you have a specific example? I assume you are > referring to SQL injection or some sort of malformed > input that changes the operation of the ASP code in some > way? I hope to protect from that problem. > > Regards, > > Sid >>-----Original Message----- >>that folder would only be accessible via the upload > script. the only thing >>I'd be worrying about above and beyond the usual is to > make sure that the >>script can't be misused, such as a malicious user > supplying input which may >>cause it to behave in a way you didn't design it for - > such as saving to >>another folder, or uploading an ASP script to a folder > which they can >>subsequently access via HTTP >> >> >>-- >>Jason Brown >>Microsoft GTSC, IIS >> >>This posting is provided "AS IS" with no warranties, and > confers no >>rights. >> >> >>"Sid" <sidskiba@telus.net> wrote in message >>news:320b01c4aa8a$13194b10$a301280a@phx.gbl... >>>I have sort of a general question about file uploading. >>> IIS 5.1 >>> >>> I have a web site at c:\inetpub\wwwroot\ >>> >>> I also have a directory at c:\images\ (not in the > wwwroot >>> nor a virtual folder) >>> >>> I have read/write/modify on c:\images\ for IUSR > account. >>> >>> Only Read/Execute on wwwroot >>> >>> I am looking to use a script to allow image uploads on > a >>> password secure ASP page to the images directory. >>> >>> I have a question about general security of this though >>> and am not bright enough to test this. Can someone who >>> knows there is a directory c:\images\ use an HTTP > command >>> or some other method to put files into that directory >>> without even having access to the upload script? Like a >>> PUT or PUSH of some sort? >>> >>> Or is the directory safe as it is out of the wwwroot > and >>> is not a virtual directory? >> >> >>. >>
- Next message: Jason Brown [MSFT]: "Re: how do I change security to get ActiveX?"
- Previous message: sue: "how do I change security to get ActiveX?"
- In reply to: Sid: "Re: IIS Security Question"
- Next in thread: gg: "Re: IIS Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
