[thelist] ASP: FileSystemObject.FileExists

Ken Schaefer ken at adOpenStatic.com
Wed Apr 14 22:19:57 CDT 2004

From: "Maximillian Schwanekamp" <anaxamaxan at neptunewebworks.com>
Subject: RE: [thelist] ASP: FileSystemObject.FileExists

: >The biggest gotcha I always see is people not allowing
: >read/write/modify on the directory AND an Access file.
: >Normally they only have it on the Access file. Since Access
: >requires a lock file, you need to have more permissions
: >on the directory itself where the Access file resides to
: >create the lock file.
: Another good reason to dump Access altogether, and move
: to MySQL, MSDE, or something else that does not have inherent
: filesystem security holes.

Filesystem Security holes?!? Please elaborate.

Also, I don't understand how the user account that is running the MSDE or
mySQL service can update those databases without having write NTFS
permissions either.

Furthermore, you can:
a) put the Access .mdb file outside the webroot (there's no requirement that
it be inside the webroot in the first place)
b) use IIS to restrict the permissions of the same folder (e.g. remove IIS
"Read" permissions which stops HTTP GET/POST/HEAD requests for any of the
contents of the folder, and IIS "Write" permissions, which stops HTTP PUT
etc type verbs).

: Not something that I've heard of being exploited, but on principle
: it seems crazy to that the directory where the site database
: resides would have a lax security policy in order to function.

I think this is pretty much the same for just about any database. The DBMS
must be able to write to the database file. And most decent DBMS have
transaction logs as well, so you'd need to be able to create new transaction
log files and write to those...

: On the FileSystemObject subject, does anyone know if
: Software Artisans' FileManager (an FSO replacement bundled
: with FileUp) is any more secure on IIS 6?  I have a client
: getting a Win2003 Server dedicated setup. FileManager on
: IIS 4/5 offers a number of holes due to overliberal user
: impersonation capabilities, at least in a standalone
: server environment.

I'd be really interested to know what you think these holes with
"overliberal user impersonation capabilities" are. Then I could tell you if
IIS 6.0 will help you any.


Microsoft MVP - Windows Server (IIS)

More information about the thelist mailing list