Security risk on shared servers

During my work at several companies, the security on shared windows servers, supporting ASP, was not very high.

A simple problem, with large consequences is file security.

Let's say, user X can upload ASP pages to the directory /User/X. User Y has the same hosting package and can upload to /User/Y.

Most hosts just create an FTP account for every user, pointing them to there own directory. So far, so good. Every user can upload there nice websites into there own directory.

But then, the FileSystemObject comes into the picture.

Let's say user X has a file /user/X/index.asp which contains all sorts of information, but noone but him is supposed to reach the code.

If you happen to be user Y, and use the code below, you get a copy of index.asp from X his directory. The file is, on most windows based servers, readable to all ASP pages.

The code:

<%

Set fs = CreateObject("Scripting.FileSystemObject")

Set fi = fs.OpenTextFile(Server.MapPath("../X/index.asp"))

response.write fi.ReadAll

fi.close

Set fi = nothing

Set fs = nothing

%>

The explanation:

Set fs = CreateObject("Scripting.FileSystemObject")

This simply creates the object

Set fi = fs.OpenTextFile(Server.MapPath("../X/index.asp"))

This opens the specified name on the server.

response.write fi.ReadAll

This gets all the content of the file and displays it.

It is as simple as that, and that is where the danger lies.

When you have some more time you can experiment with the following items:

Set f = fs.GetFolder(Some Dir)

For Each sf in f.SubFolders ... next

For Each fi in f.Files ... next

Use this to get the content of directories if you do not know what is in them.

Just so you know, altering ASP pages not belonging to you is not allowed (in most countries, I assume). But there are also legal ways to use these pieces of code, like making a remote editor, to alter your ASP pages from everywhere.

You might be wondering if linux servers have the same problem, well they don't. File security is much stricter on linux based systems. You can still browse around the files and directories on shared systems, but only if you have access to them.

http://tech.hawkfield.be Article based resource site

http://www.hawkfield.be Web design and development

 

Back to FAQS.ORG