Re: ASPX form Uploads a file even without IIS Write permission

From: FB (FB_at_discussions.microsoft.com)
Date: 08/23/05

  • Next message: FB: "The scope of Everyone, Auth Users and IUSR_Machine accounts" 
    Date: Tue, 23 Aug 2005 09:19:01 -0700

    Ok, tanks for the answer.

    If i understood, even without Read IIS Access, ASP pages (and others
    script-mapped extensions) runs, because the Run Scripts IIS permission is set
    on...

    Another related question: If Write IIS property does not protect against a
    ASP Upload, what the purpose of the Write IIS property? In wich situation
    will be usefull to uncheck the Write IIS Permission?

    The problems related in this article comes from the fact that i´m worried
    about the security configuration, of my customer, where the IUSR_ have RWXD
    Rights on NTFS. Anyone can upload files to the server? Someone can use a http
    client to upload files to my server without my knowledge?

    All ASP pages have a mechanism (made by developers, in ASP, years ago) to
    test if the user was authenticated on a Sybase Database and several other
    pages checks security information on DBS and AS/400 databases. It is why the
    IUSR have a wider right on the NTFS, all authentication requests are not
    being manipulated by IIS. A malicious user can upload file to my server??

    "David Wang [Msft]" wrote:

    > By design due to how it is configured.
    >
    > http://blogs.msdn.com/david.wang/archive/2005/08/20/Why_can_I_upload_a_file_without_IIS_Write_Permission.aspx
    >
    > --
    > //David
    > IIS
    > http://blogs.msdn.com/David.Wang
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    > //
    > "FB" <FB@discussions.microsoft.com> wrote in message
    > news:B9069C32-8121-42BD-A591-CF04B3EDE0E2@microsoft.com...
    > A customer have a IIS 6 web server and even with IIS Write property
    > DISABLED,
    > an ASPX form can upload files to the server.
    >
    > The authentication is Anon (via IUSR_ user) and the IUSR_User have RWXD
    > rights on the folder where the upload is stored.
    >
    > In the properties of the IIS folder where upload is done, the Read
    > permission is set, but Write, SourceAccerss and Browse are disabled.
    >
    > Why the upload works???
    >
    >
    >

  • Next message: FB: "The scope of Everyone, Auth Users and IUSR_Machine accounts"

    Relevant Pages

    • RE: asp pages error
      ... our intranet connects to several access databases we dont get an asp ... I tried to add a new site to iis, ... > down and type the full content of the error message to the Newsgroup. ... > SP1 on your SBS 2K3 server? ...
      (microsoft.public.windows.server.sbs)
    • Re: Problem with freezing on IIS
      ... Low protection means the web app is running inside inetInfo.exe itself ... something wrong with COM+ or IIS is having some kind of logon problem. ... When we had it set to Medium, it would not even process ASP pages. ... settings (as is the problem server). ...
      (microsoft.public.inetserver.iis)
    • Re: ASP app not working in IIS 6
      ... specific to Win2003 or if it is a IIS 6 issue. ... server with personal web service. ... "To circumvent this silliness and get real ASP errors, ... >debugging the application in Visual Development. ...
      (microsoft.public.inetserver.iis)
    • Re: wsx to asp ad rotator doesnt work
      ... control is enabled on the IIS box? ... username/password that the IIS server will accept and see ... >>Also, you can access the asp page with a remote browser, ... >>sure that the server is reading the wsx file. ...
      (microsoft.public.windowsmedia.server)
    • Re: Problem with freezing on IIS
      ... If we set this to Low (IIS Process), ... When we had it set to Medium, it would not even process ASP pages. ... I don't have the problem on my other server, which is also using the default ... I have the identical ASP settings (including asp script timeout of 90 ...
      (microsoft.public.inetserver.iis)