IIS Virtual Directory Hacks

I am publishing a web application in asp that will allow my users to access
a sql database, each user will have a virtual directory that will give them
an interface to access their respective database.

My worry is that they will be able to access each others virtual directories
and hence modify the respective database.

I want to test the application and ensure that users cannot access each
others virtual directories and databases.

I have already tested that they cannot insert the name of another users
virtual directory followed by a file name, that they can find out from their
own virtual directory.

The users have no access to the IIS server apart from via their Virtual
directory. I need to secure this application and make it water tight.

I am looking for some suggestions for how to possibly hack another users
virtual directory.

Any help here would be greatly appreciated.

Many thanks in advance.

Re: IIS Virtual Directory Hacks

On Mon, 22 May 2006 12:02:38 +0100, "jonathan haughey"
wrote:

>I am publishing a web application in asp that will allow my users to access
>a sql database, each user will have a virtual directory that will give them
>an interface to access their respective database.
>
>My worry is that they will be able to access each others virtual directories
>and hence modify the respective database.
>
>I want to test the application and ensure that users cannot access each
>others virtual directories and databases.
>
>I have already tested that they cannot insert the name of another users
>virtual directory followed by a file name, that they can find out from their
>own virtual directory.
>
>The users have no access to the IIS server apart from via their Virtual
>directory. I need to secure this application and make it water tight.
>
>I am looking for some suggestions for how to possibly hack another users
>virtual directory.
>
>Any help here would be greatly appreciated.
>
>Many thanks in advance.

Lock them down with NTFS permissions.

Jeff