[thelist] ASP: FileSystemObject.FileExists

Maximillian Schwanekamp anaxamaxan at neptunewebworks.com
Wed Apr 14 23:05:55 CDT 2004

>Filesystem Security holes?!? Please elaborate.
>a) put the Access .mdb file outside the webroot (there's no requirement
>it be inside the webroot in the first place)
>b) use IIS to restrict the permissions of the same folder

While it's true that you can (and should) put the .mdb outside the webroot,
in practice (in my admittedly limited experience!) it usually *is* in the
webroot, at least in a shared hosting environment.  IIRC, Access  usually
runs under IUSR, so it gets write permission in order to create a lock file.
Perhaps I am mistaken on that point.  In retrospect, I probably am.  Anyway
that's what I meant by "filesystem security hole."  Sorry.  Bad wording.

>I think this is pretty much the same for just about any database. The DBMS
>must be able to write to the database file. And most decent DBMS have
>transaction logs as well

But those RDBMSs *always* have their data files outside the webroot, and in
the case of SQL Server, Oracle and the like, usually on a different machine
entirely.  Further, these do not encourage IUSR to have write permission on
the data/log files.

>I'd be really interested to know what you think these holes with
>"overliberal user impersonation capabilities" are.

SoftArtisans' FileManager has a "LogonUser" method that allows the script to
switch user contexts while executing an ASP script.  It allows the script to
act with the permissions of any user for whom the username/password are
supplied.  In some scenarios (such as an IIS application running in high
isolation, IIRC) using that method requires granting IWAM the right to act
as part of the OS, which seems potentially dangerous.  The method is one of
the perks of using FileManager in place of the regular FSO.  This seems
"overliberal" to me.  This issue came up with a client some 18 months back,
way before IIS6.  They were having security problems, and Microsoft Security
folks brought this up for us.  A member of that same MS team had suggested
to us at the time that IIS6 would not allow this sort of arbitrary user
context switching within a web script.  Dunno if that's true or not!

Maximillian Von Schwanekamp
Dynamic Websites and E-Commerce
voice: 541-302-1438
fax: 208-730-6504

More information about the thelist mailing list