Forums
This topic is locked
IIS / FTP Security
Posted 23 Jan 2004 12:24:22
1
has voted
23 Jan 2004 12:24:22 gordon knapp posted:
This may be a little "off topic" if so I apologise. However it is a matter that may be of concern to ASP developers.1/ I have just come across a ASP web host (who shall remain nameless) running IIS 5.
2/ When logging onto their server using my clients FTP info I am able to (by double clicking on the ftp icon) see a list of every website hosted on that particular server.
3/ More worryingly is the fact that it is possible to actually open some of these sites and view the files therein.
I contacted the host concerned and they informed me that this was normal and the only files I could see into were in sites that were using Front Page Extensions. They also requested that I keep my nose out of these "Private" files or they could suspend the hosting account.
Now, I and some of my clients run sites on a variety of Windows Hosting packages and I have NEVER seen anything like this before. Maybe I'm naive .... maybe just lucky.
As an example, the super reliable DC Hosting, who also run IIS 5 do NOT have this problem.
This leads me to suspect that the hosts in question (or whoever they lease their servers from) have not set the server up correctly.
Have any of you ever come across this? I am not necessarily looking for a solution, I just want to find out if the problem is as common as this particular host would have me believe.
Cheers
G
Replies
Replied 23 Jan 2004 17:54:34
23 Jan 2004 17:54:34 Dave Thomas replied:
i'd be concerned personally.
so what theyre saying is, anyone using front page extensions on a site is liable to attack from anyone with the know-how who happens to host with them too.
and once that happens theyre bound to create a load of ftp accounts for other similiarly lame people.
i would have cancelled my account as soon as possible.
thats my opinion anyway.
Regards,
Dave
[DWMX 2004] | [FlashMX 2004 Pro]|[Studio MX 2004]|[SQL]|[Access2000/2002]|[ASP/VBScript]|[XP-Pro]
so what theyre saying is, anyone using front page extensions on a site is liable to attack from anyone with the know-how who happens to host with them too.
and once that happens theyre bound to create a load of ftp accounts for other similiarly lame people.
i would have cancelled my account as soon as possible.
thats my opinion anyway.
Regards,
Dave
[DWMX 2004] | [FlashMX 2004 Pro]|[Studio MX 2004]|[SQL]|[Access2000/2002]|[ASP/VBScript]|[XP-Pro]
Replied 23 Jan 2004 18:34:10
23 Jan 2004 18:34:10 gordon knapp replied:
Thanks for your reply dave. I will definately be looking for a new home for this particular site.
G
G
Replied 24 Jan 2004 13:57:03
24 Jan 2004 13:57:03 Rene Bandsma replied:
Wow! That is a big leak in their IIS system! There are several ways to block users from other folders.
The most simple is to use the Localuser folder in \inetpub\. We have used 5.0 over 3 years and with the right knowledge you can set up IIS with the highest security
The most simple is to use the Localuser folder in \inetpub\. We have used 5.0 over 3 years and with the right knowledge you can set up IIS with the highest security