Just for clairity I'm wondering what the best practice is for giving the IUSR_ account write access under IIS 6.0 to a folder. I gave searching on Google a try and on here a try but nothings really pointing me in either direction. From my understanind giving that account write access to a folder in an Internet site would be a bad idea. This site would be a mix of Classic ASP and ASP.NET.
Any one want to chime in on this?
-
I don't know everything about the subject, but I do know that you don't want to do it if you have WebDAV enabled. I ran into this issue a couple years ago and I'm basically copy/pasting my old post on the issue. In short, if you have WebDAV enabled, you can write to the server using PUT commands. Try it out.
- Make sure that WebDAV is Allowed in the "Web Service Extensions".
- Create a site
- Through IIS, permit READ and WRITE.
- Telnet to port 80 (i.e. telnet www.mysite.com 80)
- Type the lines below exactly as you see below (they will be blanked, so you won't see anything until you've finished)
PUT /uhoh.txt HTTP/1.1 enter
Host: localhost enter
Content-Length: 6 enter
enter
Scary! enterAt this point it should have accepted it. Check the root of your directory and view your file. You'll see that the owner is IUSR_{computer.name}.
From pk -
Here are my "I wouldn't do this" statements in order of amount of discomfort they cause me (least to worst):
I wouldn't give anonymous users write access to a folder on a server computer connected to the Internet.
I especially wouldn't give anonymous users write access to a folder on a server computer configured to run scripts.
I really, really, really wouldn't give anonymous users write access to a folder on a server computer configured to run arbitrary executibles.
In short, I wouldn't do it. If you need anonymous users to be able to write to the web server it should be done through scripts that impose some type of sanity checking / validation (size, content, etc) on the uploaded data rather than through a straight HTTP PUT to the filesystem.
From Evan Anderson
0 comments:
Post a Comment