Upload folders with Write and Execute access are vulnerable (189272)


The information in this article applies to:

  • Microsoft Internet Information Server 4.0
This article was previously published under Q189272
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SUMMARY

A computer running Internet Information Server (IIS) may be vulnerable to attack if the following conditions are true:
  • IIS is configured to allow users to upload content using RFC 1867 methods.
  • The directory that users can upload to has both Write access and Execute permissions.

MORE INFORMATION

Folders that are used for file uploading need to be given Write access in the Internet Service Manager (ISM) snap-in for the Microsoft Management Console (MMC). If Execute permissions are also granted in the ISM, a malicious user could upload an executable file and run it on the computer running IIS.

When you attempt to apply both Write access and Execute permissions to a folder, you receive the following warning message:
WARNING - By setting both the Write and Execute permissions,
you are potentially exposing this site to malicious attack.
A destructive or intrusive program could be uploaded and
then executed. Are you sure you want to do this?

If you click Yes, you potentially expose the server to attack.

To prevent malicious attack, never allow Write and Execute permissions on an NTFS volume exposed to the Internet. As an additional level of security, set the IIS SSIExecDisable property to True on the IIS Web server to disable Server-Side Includes (SSI) from executing.

To disable SSI from executing on a server with Windows Script Host (WSH) enabled, follow these steps:
  1. At the command prompt, change to the IIS AdminSamples folder. By default, this folder is in %SystemRoot%\System32\InetSrv\AdminSamples
  2. Type the following command, and then press Enter: cscript.exe adsutil.vbs set w3svc/SSIExecDisable True
On a server without WSH installed, the following sample code can be called from Visual Basic or ASP: 
   Dim oServer
   Set oServer = GetObject("IIS://LocalHost/W3SVC")
   oServer.SSIExecDisable = True
   oServer.SetInfo
   Set oServer = Nothing
Modification Type:MajorLast Reviewed:9/28/2005
Keywords:kbinfo KB189272 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.