IIS default file permissions used improperly?

This applies to IIS 6.0 with all current service packs at the time of this
post.

If you set the file permissions for any default page in a directory they
will be overridden by directory permissions if the web request does not
include the file name.

www.abc.com/mydirectory/ Will use directory permissions for default.asp
www.abc.com/mydirectory/default.asp Will use file permissions for default.asp

Meaning even if all access is denied for default.asp the script can still be
executed by the client simply by removing the file name from the URL.

www.abc.com/mydirectory/default.asp Access denied
www.abc.com/mydirectory/ Script executes

Maybe this makes sense to everyone else but this seems somewhat
counter-intuitive to me. It seems like the file permissions should take
precedence here if they are defined.

RE: IIS default file permissions used improperly?

I made a typo sorry

> www.abc.com/mydirectory/ Will use directory permissions for _mydirectory_
> www.abc.com/mydirectory/default.asp Will use file permissions for default.asp

RE: IIS default file permissions used improperly?

"CyrexCore2k" wrote:

> This applies to IIS 6.0 with all current service packs at the time of this
> post.
>
> www.abc.com/mydirectory/ Will use directory permissions for
> www.abc.com/mydirectory/default.asp Will use file permissions for default.asp

> Maybe this makes sense to everyone else but this seems somewhat
> counter-intuitive to me. It seems like the file permissions should take
> precedence here if they are defined.

That's an interesting finding. I would email it to secure@microsoft.com.
They may not say it is a security vulnerability per se, but at least emailing
them would increase the chance of it being fixed or at least better
documented.

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info

RE: IIS default file permissions used improperly?

Yeah I didn't see it as a real security threat but for the longest time I
couldn't figure out why my scripts that I had set to execute using an
administrative account would sometimes execute and then "randomly" hit a
"permission denied" error.

I emailed them so we'll see what happens.

RE: IIS default file permissions used improperly?

Hi,
The behavious is i think becuase the "default.asp" is your defualt document
you have set in IIS for your site. so when client sends a request to web
server the first thing to find is if the file is avaibel (defausl.asp) in you
case yes the file is avaiabel, the second step IIS then does is to check the
ACL.

My suggestion is to check the default.asp file script exection by removing
the file first as "Default Document" for your web and then give it a try,

Thanks & Regards
Jigs4u_4ever.

"CyrexCore2k" wrote:

> This applies to IIS 6.0 with all current service packs at the time of this
> post.
>
> If you set the file permissions for any default page in a directory they
> will be overridden by directory permissions if the web request does not
> include the file name.
>
> www.abc.com/mydirectory/ Will use directory permissions for default.asp
> www.abc.com/mydirectory/default.asp Will use file permissions for default.asp
>
> Meaning even if all access is denied for default.asp the script can still be
> executed by the client simply by removing the file name from the URL.
>
> www.abc.com/mydirectory/default.asp Access denied
> www.abc.com/mydirectory/ Script executes
>
> Maybe this makes sense to everyone else but this seems somewhat
> counter-intuitive to me. It seems like the file permissions should take
> precedence here if they are defined.