FSO (FileSystemObject) is a control of Microsoft ASP for file operations. It can read, write, create, modify, and delete directories and files on the server. Is a very useful control in ASP programming.
However, due to permission control problems, FSO of many virtual host servers has become a public backdoor for this server, because customers can directly program the control in their own ASP Web pages, to control the server and even delete files on the server.
Therefore, many virtual host providers have simply turned off the control, reducing the customer's flexibility.
FSO Enabled
1. First, find scrrun. dll in the system disk. If this file exists, go to step 3. If not, perform step 2.
2. Find scrrun. DL _ in the installation file directory i386, decompress it with winrar, get scrrun. dll, and copy it to the X (your system disk): \ windows \ system32 \ directory.
3. Run regsvr32 scrrun. dll.
4. to disable the FSO component, run regsvr32/u scrrun. dll.
Execute regsvr32.exe scrrun. dll in "run.
To disable the FSO permission, add the/u parameter in the preceding command.
Key value location in the Registry: hkey_class_boot \ F. s. o
Three methods to disable the FileSystemObject component
As we all know, the powerful and destructive feature of the FileSystemObject component is that it is often used as a free homepage.
I sorted out the reasons for disabling the service provider (which supports Asp). I found only two methods.
When someone is excited, it is hard to think of the third unknown method.
First, use regsrv32/u c: windowssystemscrrun. dll (Win98 path) to log out of the group.
. This method is too cool and belongs to the same method, which is useless to everyone.
Type 2: Modify the value of progid. The method for calling components in ASP is usually set object name = server.
Createobject ("progid"), then we can modify the progid value in the registry from
To disable this component. In start-run, enter regedit and find hkey_classes_roo.
Tscripting. FileSystemObject. Now we can change the value of this progid, such
To scripting. filesystemobject8. The following code is called on the ASP page:
<% @ Language = VBScript %>
<%
Set FS = server. Createobject ("scripting. filesystemobject8 ")
%>
(If you have not called this component before, you do not need to restart it to see the effect. Otherwise, please re-
Check the effect after startup .)
At this time, let's look at the results of the original call method:
<% @ Language = VBScript %>
<%
Set FS = server. Createobject ("scripting. FileSystemObject ")
%>
The running result is:
Server Object error 'asp 0177: 800401f3'
Server. Createobject failed
/Aspimage/testfile2.asp, Row 3
800401f3
(OK to meet our requirements)
The method is delayed by two steps, and the result is answered by others, which greatly stimulates me.
The third method is generated.
Third: the careful experts will think that since the component can be disabled by modifying the progid value, can the CLSID be modified as well? (OK, like me) We know that apart from the Createobject method, you can also use the general <Object> annotation to create a component, we can use the HTML <Object> annotation in ASP to add a component to the webpage. Method: <object runat = server id = fs1 scope = page progid = "scripting. fileSystemObject "> </Object> runat indicates that the task is executed on the server, and scope indicates the life cycle of the component. You can select session, application, or page (indicating the current page or default) this method is useless to us. Another method is:
<Object runat = server id = fs1 scope = page classid = "CLSID: CLSID value"> </Object>
You can also disable this component by modifying the value of the CLSID. For example, you can change the value of hkey_classes_rootscripting.filesystemobjectclsid in the Registry to disabled (the last bit is changed). The syntax is as follows:
<Object runat = server id = fs1 scope = page classid = "CLSID: 0d43fe01-f093-11cf-8940-00a0c9054229"> </Object>
Check the running result. No problem. OK. At this time, we use
<Object runat = server id = fs1 scope = page classid = "CLSID: 0d43fe01-f093-11cf-8940-00a0c9054228"> </Object>
At this time, an error occurs.
Create a user: iusr_domain
Set the site's anonymous user iusr_domain in IIS
Cacls: Set Directory Permissions
In this way, FSO is available, but it will not affect others.