|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS default file permissions used improperly?post. If you set the file permissions for any default page in a directory they will be overridden by directory permissions if the web request does not include the file name. www.abc.com/mydirectory/ Will use directory permissions for default.asp www.abc.com/mydirectory/default.asp Will use file permissions for default.asp Meaning even if all access is denied for default.asp the script can still be executed by the client simply by removing the file name from the URL. www.abc.com/mydirectory/default.asp Access denied www.abc.com/mydirectory/ Script executes Maybe this makes sense to everyone else but this seems somewhat counter-intuitive to me. It seems like the file permissions should take precedence here if they are defined. I made a typo sorry
Show quoteHide quote > www.abc.com/mydirectory/ Will use directory permissions for _mydirectory_ > www.abc.com/mydirectory/default.asp Will use file permissions for default.asp "CyrexCore2k" wrote: That's an interesting finding. I would email it to sec***@microsoft.com. > This applies to IIS 6.0 with all current service packs at the time of this > post. > > www.abc.com/mydirectory/ Will use directory permissions for > www.abc.com/mydirectory/default.asp Will use file permissions for default.asp > Maybe this makes sense to everyone else but this seems somewhat > counter-intuitive to me. It seems like the file permissions should take > precedence here if they are defined. They may not say it is a security vulnerability per se, but at least emailing them would increase the chance of it being fixed or at least better documented. -- kind regards, Karl Levinson, CISSP, CCSA, MCSE [MS MVP] ------------------------- Microsoft Security FAQ: http://www.securityadmin.info Yeah I didn't see it as a real security threat but for the longest time I
couldn't figure out why my scripts that I had set to execute using an administrative account would sometimes execute and then "randomly" hit a "permission denied" error. I emailed them so we'll see what happens. Hi,
The behavious is i think becuase the "default.asp" is your defualt document you have set in IIS for your site. so when client sends a request to web server the first thing to find is if the file is avaibel (defausl.asp) in you case yes the file is avaiabel, the second step IIS then does is to check the ACL. My suggestion is to check the default.asp file script exection by removing the file first as "Default Document" for your web and then give it a try, Thanks & Regards Jigs4u_4ever. Show quoteHide quote "CyrexCore2k" wrote: > This applies to IIS 6.0 with all current service packs at the time of this > post. > > If you set the file permissions for any default page in a directory they > will be overridden by directory permissions if the web request does not > include the file name. > > www.abc.com/mydirectory/ Will use directory permissions for default.asp > www.abc.com/mydirectory/default.asp Will use file permissions for default.asp > > Meaning even if all access is denied for default.asp the script can still be > executed by the client simply by removing the file name from the URL. > > www.abc.com/mydirectory/default.asp Access denied > www.abc.com/mydirectory/ Script executes > > Maybe this makes sense to everyone else but this seems somewhat > counter-intuitive to me. It seems like the file permissions should take > precedence here if they are defined. 
Other interesting topics
|
|||||||||||||||||||||||
