Re: ASPX form Uploads a file even without IIS Write permission
From: KayZer Soze (thesuspects_at_thesuspects.net)
Date: 08/25/05
- Next message: Peter Eriksson: "IIS 6.0 After Service pack 1 2003 Server"
- Previous message: z f: "how to configure SSL certificate programmatically?"
- In reply to: David Wang [Msft]: "Re: ASPX form Uploads a file even without IIS Write permission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Aug 2005 11:40:08 -0300
A sad event: When i asked the developer about the web.config and
machine.config files, the answer was: "What is it?"
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OwlOPjEqFHA.3304@TK2MSFTNGP11.phx.gbl...
> Basically, you have to understand that the "Write" Property in IIS does
not
> control whether files can be written to the server at all -- it only
> controls standard HTTP "write" operations like PUT. In fact, ASPX form
> Uploads are not standard HTTP as far as IIS is concerned -- it is custom
> behavior controlled by other mechanisms.
>
> I realize that you probably think HTTP uploads are the "write" permissions
> that should be secured, and that PUT is something bizarre that you have no
> idea of... but sorry, a bunch of W3C standards bodies are disagreeing with
> you here. ;-)
>
>
> Ok, when I talk about "you" in the following, I really mean your
customer...
>
> Your problems come from the fact that you are implementing your own custom
> authentication/authorization scheme and pretty much disabled
> NTFS/IIS/ASP.Net based authentication/authorization schemes. Thus, you are
> solely responsible for making your custom configuration secure.
>
> The basic concept in compuing is that you can only implement
> authentication/authorization if you are part of the "trusted computing
base"
> (and by trusted, it means you can do anything). If your custom
> authentication/authorization does not lock down everything and leaves the
> gates wide-open for another system to take advantage of it, of course the
> system will be insecure -- because of the failure of a member of the
trusted
> computing base. This sort of problem is an issue with the user design, and
> not a security problem in IIS/Windows.
> 1. You have Anonymous authentication enabled and IUSR has RWXD on the
> directories in question, meaning you have effectively disabled NTFS-based
> security for everyone
> 2. IIS-based authorization relies on ACLs for file access and HTTP-based
> concepts, so it is completely tangential to the issue of accepting HTTP
> uploads via POST. IIS simply has no idea whether a given POST request is
> writing to the filesystem or not -- it just knows a POST came and a blob
of
> code runs to handle it -- so custom security requires that piece of code
to
> implement authorization on when to write to the filesystem.
>
> This means that if you have a post acceptor on your webserver which
accepts
> uploads without proper authentication/authorization, then yes, anyone can
> upload and possibly execute files on your webserver without you knowing --
> and the behavior is completely by design due to your configuration and is
> not a flaw in IIS/Windows.
>
> I'm sorry for my matter-of-fact tone, but generally:
> 1. People love writing/using custom authentication/authorization because
it
> is easier than Windows ACLs
> 2. However, custom authentication/authorization is harder to secure than
> Windows
>
> You're looking at a prime example...
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "FB" <FB@discussions.microsoft.com> wrote in message
> news:BE8D5219-2A84-47F6-BFAC-07D6DB4B9CCC@microsoft.com...
> Ok, tanks for the answer.
>
> If i understood, even without Read IIS Access, ASP pages (and others
> script-mapped extensions) runs, because the Run Scripts IIS permission is
> set
> on...
>
> Another related question: If Write IIS property does not protect against a
> ASP Upload, what the purpose of the Write IIS property? In wich situation
> will be usefull to uncheck the Write IIS Permission?
>
> The problems related in this article comes from the fact that i´m worried
> about the security configuration, of my customer, where the IUSR_ have
RWXD
> Rights on NTFS. Anyone can upload files to the server? Someone can use a
> http
> client to upload files to my server without my knowledge?
>
> All ASP pages have a mechanism (made by developers, in ASP, years ago) to
> test if the user was authenticated on a Sybase Database and several other
> pages checks security information on DBS and AS/400 databases. It is why
the
> IUSR have a wider right on the NTFS, all authentication requests are not
> being manipulated by IIS. A malicious user can upload file to my server??
>
> "David Wang [Msft]" wrote:
>
> > By design due to how it is configured.
> >
> >
>
http://blogs.msdn.com/david.wang/archive/2005/08/20/Why_can_I_upload_a_file_without_IIS_Write_Permission.aspx
> >
> > --
> > //David
> > IIS
> > http://blogs.msdn.com/David.Wang
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > //
> > "FB" <FB@discussions.microsoft.com> wrote in message
> > news:B9069C32-8121-42BD-A591-CF04B3EDE0E2@microsoft.com...
> > A customer have a IIS 6 web server and even with IIS Write property
> > DISABLED,
> > an ASPX form can upload files to the server.
> >
> > The authentication is Anon (via IUSR_ user) and the IUSR_User have RWXD
> > rights on the folder where the upload is stored.
> >
> > In the properties of the IIS folder where upload is done, the Read
> > permission is set, but Write, SourceAccerss and Browse are disabled.
> >
> > Why the upload works???
> >
> >
> >
>
>
- Next message: Peter Eriksson: "IIS 6.0 After Service pack 1 2003 Server"
- Previous message: z f: "how to configure SSL certificate programmatically?"
- In reply to: David Wang [Msft]: "Re: ASPX form Uploads a file even without IIS Write permission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
