Go
These forums are read-only and considered to be an archive. Please use the new Community for future interaction and posts.

Prevent script attack

Hi,

I'm in progress of evaluate FileVista (v3.5), and I have now discover that it is possible to make a script attack.
What I'm talking about is, if a user upload a script to a folder, then the user can type the path to the script, http://server.com/User/attack.asp and the script will run. Simple question, how do I prevent a user from execute anything on the server, but still keeps all the function like zip?

Thanks
Steen
SteenB 4/16/2009 4:19 AM
Hi Steen,
It's not a weakness of FileVista. For instance, think you gave access to your users via FTP on your web. Then they can do the exact same thing. So this is about your IIS configuration.

If you need to use a web accessible folder in FileVista, then you should disable "Script" and "Execute" permissions for this folder in IIS. This way, even if a user types the URL of an uploaded script, the script will not run.

Else, you should generally choose a non-web accessible folder, ie. a folder that is outside of the web root. For instance, if the web root is c:\inetpub\wwwroot, then you can choose a folder that is outside of this folder like c:\FileVistaFolder.
This way, the folder will not be accessible via web naturally so you will not have to consider IIS permissions.
Cem Alacayir 4/16/2009 6:04 AM
Hi,

Thanks for a quick reply.
That is what I have, the web is in C:\inetpub\FileVista, and the user folder is in C:\UserHome. I make a Root Folders named UserHome and this link to C:\UserHome. Still I can type http://server/UserHome/attack/attack.asp and the "attack text" will pop up in the webbrowser.

Have no idea why-
SteenB
SteenB 4/16/2009 6:16 AM
Hi,

Sorry there, I was to quick to reply.
In IIS I also have a Virtual folder, that has a link to the same folder, after removing this, I could not replicate the attack.

Problem solve.

Thanks
SteenB
SteenB 4/16/2009 6:23 AM
It seems there is a virtual directory in IIS named UserHome pointing to c:\UserHome.
Either that or, your web root (http://server/) strangely points to c:\ .
Otherwise, you can't access this folder via the URL http://server/UserHome/ .
Cem Alacayir 4/16/2009 6:25 AM
I guess we were posting at the same time :)
Ok, so the problem was just what I thought.
Cem Alacayir 4/16/2009 6:26 AM