ISAPI scripts run under the IUSR_MACHINENAME account under IIS, and thus, inherit the security permissions of this account. However, if the ISAPI program contains a simple call labelled RevertToSelf(), you have a big hole. Once that program line is executed, the ISAPI program reverts it's authority to the all-powerful SYSTEM account, at which point the program can do just about anything, including successfully execute system() calls. Try it yourself - this DLL runs on Intel based IIS machines. Drop it in your scripts directory, and call it without any parameters using your Web browser. (i.e. http://www.yoursite.com/scripts/revert.dll) It creates a directory called C:\IIS-REVERT-TEST with no trouble at all :( I tested this on an NTFS partition with no normal user permissions on the root directory.
|
