Magic of FSO in ASP-Permission permission

Author: Gan jiping

I discussed the basic knowledge above and then talked about permission licensing issues. FSO is run with the user account permission to create it, in other words, if someone is from the Internet

To access your page, then this Internet account will create FSO. If you log on to the computer as administrator and log on to the page

The Administrator account creates FSO. This is very important because a certain account has certain permissions and FSO requires some permissions to complete

Execute the function.

Internet account (iuser_machinename, machinename is the name of the server) generally only has read permission, which means that users cannot write

Statement file. However, there are several options to bypass this issue.

First, it is also very difficult to ask the user to log on to the server before entering the message book. However, the main point of the message book is to collect information from anonymous users, such

If users are required to log on, they must know who they are. Therefore, skip this selection and look at the next one.

The first method is to create a directory or file. The iuser_machinename user has the write permission for this. This may expose some potential security vulnerabilities.

Because anyone who knows the correct directory and has certain web skills can fill the content on the server. This is a serious taboo. So you must confirm that

The hidden location stores the information of these writable directories and tries to set these directories out of the web directory structure (for example, in windows, This Is

Is not in the inetpub directory ).