Three methods to disable FSO

Three methods to disable FSO

Author: Military sentiment

FSO (FileSystemObject) is a control of Microsoft ASP for file operations. It can read, write, create, modify, and delete directories and files on the server. Is a very useful control in ASP programming.

However, due to permission control problems, FSO of many virtual host servers has become a public backdoor for this server, because customers can directly program the control in their own ASP Web pages, to control the server and even delete files on the server.

Therefore, many virtual host providers have simply turned off the control, reducing the customer's flexibility.

Three methods to disable the FileSystemObject component

As we all know, the powerful functions and destructiveness of the FileSystemObject component are the reasons why it is often disabled by free home page providers (those that support ASP). I have sorted out that I have only found two methods, later, when I was excited by someone, I thought of the third unknown method. I don't know if this is the case.

First, use regsvr32/U c: \ winnt \ system32 \ scrrun. DLL to cancel the component. This method is too cool and belongs to the same method, which is useless to everyone.

Type 2: Modify the value of progid. The method for calling components in ASP is usually set object name = server. createobject ("progid"). In this case, you can disable this component by modifying the progid value in the registry. In start-run, enter regedit and find hkey_classes_rootscripting.filesystemobject. Then, we can change the value of the progid, for example, scripting. filesystemobject8. The following code is called on the ASP page:

<% @ Language = VBScript %>

<%

Set FS = server. Createobject ("scripting. filesystemobject8 ")

%>

(If you have not called this component before, you do not need to restart it to see the effect. Otherwise, restart the component to see the effect .)

At this time, let's look at the results of the original call method:

<% @ Language = VBScript %>

<%

Set FS = server. Createobject ("scripting. FileSystemObject ")

%>

The running result is:

The server object is incorrect. asp 0177: 800401f3

Server. Createobject failed

/Aspimage/testfile2.asp, Row 3

800401f3

(OK to meet our requirements)

This method is delayed by two steps, and the result is a result that someone else is eager to answer, which greatly stimulates me and produces the third method.

the third type: Careful experts may wonder whether CLSID can be modified as well, since the component can be disabled by modifying the progid value? (OK, like me) We know that apart from the Createobject method, you can also use the general annotation to create a component, we can use the HTML annotation in ASP to add a component to the webpage.
method:
runat indicates that the task is executed on the server, and scope indicates the life cycle of the component. You can select session, application, or page (indicating the current page or default) this method is useless.
another method is:
. You can also disable this component by modifying the value of this CLSID. For example, you can change the value of hkey_classes_rootscripting.filesystemobjectclsid in the Registry to 0d. 43fe01-f093-11cf-8940-00a0c9054229 (changed the last one)
the statement is as follows:

View the running result, no problem. OK.
in this case, we use

an error occurs.

Create a user: iusr_domain

Set the site's anonymous user iusr_domain in IIS

Cacls: Set Directory Permissions

In this way, FSO is available, but it will not affect others.