|
Basically, the security on shared windows servers,
supporting ASP, is not very high. A simple problem,
with large consequences is file security.
Let's say, user X can upload ASP pages to the
directory /User/X. User Y has the same hosting package
and can upload to /User/Y. Most hosts just create an
FTP account for every user, pointing them to there own
directory. So far, so good. Every user can upload there
nice websites into there own directory.
But then, the FileSystemObject comes into the
picture. Let's say user X has a file
/user/X/index.asp which contains all sorts of
information, but noone but him is supposed to reach the
code.
If you happen to be user Y, and use the code below,
you get a copy of index.asp from X his directory. The
file is, on most windows based servers, readable to all
ASP pages.
The code:
<%
Set fs =
CreateObject("Scripting.FileSystemObject")
Set fi =
fs.OpenTextFile(Server.MapPath("../X/index.asp"))
response.write
fi.ReadAll
fi.close
Set fi = nothing
Set fs =
nothing
%>
The explanation:
Set fs =
CreateObject("Scripting.FileSystemObject")
This
simply creates the object
Set fi =
fs.OpenTextFile(Server.MapPath("../X/index.asp"))
This
opens the specified name on the server.
response.write fi.ReadAll
This gets all the
content of the file and displays it.
It is as simple as that, and that is where the danger
lies.
When you have some more time you can experiment
with the following items:
Set f = fs.GetFolder(Some Dir)
For Each sf in
f.SubFolders ... next
For Each fi in f.Files ...
next
Use this to get the content of directories if
you do not know what is in them.
Just so you know, altering ASP pages not belonging to
you is not allowed (in most countries, I assume). But
there are also legal ways to use these pieces of code,
like making a remote editor, to alter your ASP pages
from everywhere.
You might be wondering if linux servers have the same
problem, well they don't. File security is much stricter
on linux based systems. You can still browse around the
files and directories on shared systems, but only if you
have access to them.
****************************************************************************
|
