Microsoft KB Archive/189272

= Upload folders with Write and Execute access are vulnerable =

Article ID: 189272

Article Last Modified on 9/28/2005

-

APPLIES TO


 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q189272



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
A computer running Internet Information Server (IIS) may be vulnerable to attack if the following conditions are true:


 * IIS is configured to allow users to upload content using RFC 1867 methods.
 * The directory that users can upload to has both Write access and Execute permissions.



MORE INFORMATION
Folders that are used for file uploading need to be given Write access in the Internet Service Manager (ISM) snap-in for the Microsoft Management Console (MMC). If Execute permissions are also granted in the ISM, a malicious user could upload an executable file and run it on the computer running IIS.

When you attempt to apply both Write access and Execute permissions to a folder, you receive the following warning message:

WARNING - By setting both the Write and Execute permissions,

you are potentially exposing this site to malicious attack.

A destructive or intrusive program could be uploaded and

then executed. Are you sure you want to do this?

If you click Yes, you potentially expose the server to attack.

To prevent malicious attack, never allow Write and Execute permissions on an NTFS volume exposed to the Internet. As an additional level of security, set the IIS SSIExecDisable property to True on the IIS Web server to disable Server-Side Includes (SSI) from executing.

To disable SSI from executing on a server with Windows Script Host (WSH) enabled, follow these steps:


 * 1) At the command prompt, change to the IIS AdminSamples folder. By default, this folder is in %SystemRoot%\System32\InetSrv\AdminSamples
 * 2) Type the following command, and then press Enter: cscript.exe adsutil.vbs set w3svc/SSIExecDisable True

On a server without WSH installed, the following sample code can be called from Visual Basic or ASP:

Dim oServer Set oServer = GetObject("IIS://LocalHost/W3SVC") oServer.SSIExecDisable = True oServer.SetInfo Set oServer = Nothing

Additional query words: ACL ACLs privileges hack hackers #exec Executable Content

Keywords: kbinfo KB189272

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.