RE: IIS Script source access permission and NTFS DACLs

Wed, 14 Dec 2005 07:11:11 -0800 

I just want to know WHY Write (NTFS) permission is required for reading the
source code of a script.

Both IIS5.0 and IIS6.0 have the same behavior. 

 
Ömer Faruk Özer
      Araştırmacı
      Ulusal Elektronik ve Kriptoloji Araştırma Enstitüsü
      PK 74, 41470 Gebze, KOCAELİ, TÜRKİYE
 
      Tel         : +90 262 648 16 21
      Fax         : +90 262 648 11 00
      e-posta     : [EMAIL PROTECTED]

-----Original Message-----
From: M. Burnett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 13, 2005 10:14 PM
To: [EMAIL PROTECTED]; [email protected]
Subject: Re: IIS Script source access permission and NTFS DACLs

We really could use more detail about what you are saying/asking here. What
version of IIS are you talking about? Also, what read/write permissions are
you talking about? Do you mean the settings in IIS or the actual NTFS
permissions?

One caution--allowing WebDAV access to your website and giving the anonymous
user write or even read permissions can be very dangerous.


Mark Burnett




On Tue, 13 Dec 2005 14:42:17 +0200, Ömer Faruk Özer wrote:
> Hi,
>
> "Script source access" permission in IIS allows users to see source
> code of scripts. This is achieved by sending "translate: f" WebDAV
> header after GET method.
>
> Here is an example you can try with telnet:
>
> GET /login.asp HTTP/1.0
> translate: f
>
>
> If following conditions are met you should see the source code of
> the script instead of its processed output.
>
> 1. WebDAV must be enabled. Because translate: f is a WebDAV header
> 2. Script source access must be checked
> 3. NTFS DACL of the login.asp must be IUSR_machinename:WRITE (if
> Anonymous authentication is in place)
>
> Is there anybody who knows why just READ right is not enough?
>
> Omer Faruk Ozer
> Researcher
> National Research Institute of Electronics and Cryptology P.O. Box
> 74, 41470 Gebze, KOCAELI, TURKEY
>
> Phone                : +90 262 648 16 21
> Fax                : +90 262 648 11 00
> e-mail        : [EMAIL PROTECTED]
>
>
> --------------------------------------------------------------------
> ------- ------------------------------------------------------------
> ---------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------

Reply via email to