Hi,
We(JWNTUG(Japan Windows NT Users Group) Security Working Group)
reported MS about a kind of DoS problem on mailroot and ftproot
directories of IIS.
Those directories(C:\Inetpub\ftproot,\mailroot) are readable
and writable for everyone.
So we tested following script as C:\inetpub\mailroot\fill.bat
:fill
copy drop\*.* pickup
goto fill
This script can be executed by any user and hard disk will
be filled with emails soon after some emails come into "drop"
directory. We tested also from Terminal Server. It works well.
In addition, any user can read and write email in drop folder.
We reported MS and they replied as followings..
You're right -- those permissions shouldbe tightened.
We're going to add this to the IIS Security Checklist at
http://www.microsoft.com/security/products/iis/CheckList.asp,
to make sure that customers know that they need to do this.
Thanks again for reporting the issue! Regards,
[EMAIL PROTECTED]
----------------------------------------------------------------
Nobuo Miwa
A member of JWNTUG Security Working Group
http://www.jwntug.or.jp
Special thanks to
Hideaki Ihara<[EMAIL PROTECTED]>
YOKOYAMA Tetsuya <[EMAIL PROTECTED]>
