Re: ASPX form Uploads a file even without IIS Write permission
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 08/24/05
- Previous message: Elmer Miller: "Re: IIS6.0 prompting for logon"
- In reply to: FB: "Re: ASPX form Uploads a file even without IIS Write permission"
- Next in thread: KayZer Soze: "Re: ASPX form Uploads a file even without IIS Write permission"
- Reply: KayZer Soze: "Re: ASPX form Uploads a file even without IIS Write permission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Aug 2005 17:53:46 -0700
Basically, you have to understand that the "Write" Property in IIS does not
control whether files can be written to the server at all -- it only
controls standard HTTP "write" operations like PUT. In fact, ASPX form
Uploads are not standard HTTP as far as IIS is concerned -- it is custom
behavior controlled by other mechanisms.
I realize that you probably think HTTP uploads are the "write" permissions
that should be secured, and that PUT is something bizarre that you have no
idea of... but sorry, a bunch of W3C standards bodies are disagreeing with
you here. ;-)
Ok, when I talk about "you" in the following, I really mean your customer...
Your problems come from the fact that you are implementing your own custom
authentication/authorization scheme and pretty much disabled
NTFS/IIS/ASP.Net based authentication/authorization schemes. Thus, you are
solely responsible for making your custom configuration secure.
The basic concept in compuing is that you can only implement
authentication/authorization if you are part of the "trusted computing base"
(and by trusted, it means you can do anything). If your custom
authentication/authorization does not lock down everything and leaves the
gates wide-open for another system to take advantage of it, of course the
system will be insecure -- because of the failure of a member of the trusted
computing base. This sort of problem is an issue with the user design, and
not a security problem in IIS/Windows.
1. You have Anonymous authentication enabled and IUSR has RWXD on the
directories in question, meaning you have effectively disabled NTFS-based
security for everyone
2. IIS-based authorization relies on ACLs for file access and HTTP-based
concepts, so it is completely tangential to the issue of accepting HTTP
uploads via POST. IIS simply has no idea whether a given POST request is
writing to the filesystem or not -- it just knows a POST came and a blob of
code runs to handle it -- so custom security requires that piece of code to
implement authorization on when to write to the filesystem.
This means that if you have a post acceptor on your webserver which accepts
uploads without proper authentication/authorization, then yes, anyone can
upload and possibly execute files on your webserver without you knowing --
and the behavior is completely by design due to your configuration and is
not a flaw in IIS/Windows.
I'm sorry for my matter-of-fact tone, but generally:
1. People love writing/using custom authentication/authorization because it
is easier than Windows ACLs
2. However, custom authentication/authorization is harder to secure than
Windows
You're looking at a prime example...
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "FB" <FB@discussions.microsoft.com> wrote in message news:BE8D5219-2A84-47F6-BFAC-07D6DB4B9CCC@microsoft.com... Ok, tanks for the answer. If i understood, even without Read IIS Access, ASP pages (and others script-mapped extensions) runs, because the Run Scripts IIS permission is set on... Another related question: If Write IIS property does not protect against a ASP Upload, what the purpose of the Write IIS property? In wich situation will be usefull to uncheck the Write IIS Permission? The problems related in this article comes from the fact that i´m worried about the security configuration, of my customer, where the IUSR_ have RWXD Rights on NTFS. Anyone can upload files to the server? Someone can use a http client to upload files to my server without my knowledge? All ASP pages have a mechanism (made by developers, in ASP, years ago) to test if the user was authenticated on a Sybase Database and several other pages checks security information on DBS and AS/400 databases. It is why the IUSR have a wider right on the NTFS, all authentication requests are not being manipulated by IIS. A malicious user can upload file to my server?? "David Wang [Msft]" wrote: > By design due to how it is configured. > > http://blogs.msdn.com/david.wang/archive/2005/08/20/Why_can_I_upload_a_file_without_IIS_Write_Permission.aspx > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "FB" <FB@discussions.microsoft.com> wrote in message > news:B9069C32-8121-42BD-A591-CF04B3EDE0E2@microsoft.com... > A customer have a IIS 6 web server and even with IIS Write property > DISABLED, > an ASPX form can upload files to the server. > > The authentication is Anon (via IUSR_ user) and the IUSR_User have RWXD > rights on the folder where the upload is stored. > > In the properties of the IIS folder where upload is done, the Read > permission is set, but Write, SourceAccerss and Browse are disabled. > > Why the upload works??? > > >
- Previous message: Elmer Miller: "Re: IIS6.0 prompting for logon"
- In reply to: FB: "Re: ASPX form Uploads a file even without IIS Write permission"
- Next in thread: KayZer Soze: "Re: ASPX form Uploads a file even without IIS Write permission"
- Reply: KayZer Soze: "Re: ASPX form Uploads a file even without IIS Write permission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
