Forum folder security evaluation

I think you're getting confused between anonymous user and your script user. In a normal shared hosting environment, there's three windows accounts involved in this discussion...

1. myaccount - The login account given you to administer and ftp to your web site
2. IUSR_myaccount - The account your asp scripts run under (IUSR = IIS User).
   
3. anonymous - typically an ftp account that allows anyone to ftp to/from your web space without loggin in. Unless you want your site to be used by others to host warez and porn on your bandwidth dime, never allow an anonymous ftp account.
   

Some web hosts have utilities that allow myaccount to change directory permissions for IUSR_myaccount. The other hosts require that you submit a trouble ticket and they change the permissions.

As JJLatWebWiz noted, IUSR_myaccount should only have read permissions by default. If write permissions are needed for a specific directory, either a myaccount utility or the web host needs to set them to allow the IUSR_myaccount user (your script) to write.

So why do some web host allow read/write permissions for IUSR_myaccount by default? Typically, it's done for financial reasons rather than security reasons.

1. If IUSR_myaccount has read/write permissions by default, they don't get trouble tickets and complaints from new users saying "my script don't work"
2. They don't lay out cash for a utility that allows myaccount to set IUSR_myaccount permissions (Those utilities have their own set of security problems also).
3. They dont spend time on trouble tickets asking for permission changes.
   

When your hosting provider is talking about "anonymouse user", he's really talking about the script user - IUSR_myaccount. If they allow the script user to write by default, it's for their convenience - not  because your site is secure. Time to shop for a new host.

P.S. - I've got three hacker programs that do what JJLatWebWiz described - one of them I wrote in VB2 using the windows api about 10 years ago so it's not like this is a new security risk.

Thanks JJLatWebWiz and dypers for the great info.  I'll pass that along to my web host and hope that we get it all tied up.  Thanks!

Happy Holidays!

ususally you have a set up where you have


Username
l
l
-- website (folder)
l
l
--Private (folder)


yu ussually login to ftp at username level so see both directories.

bhall007 wrote: If you have the database in another private folder outside the root web folder (i.e., C:\Inetpub\private\Website.com), how can you enable the user to upload files to the private folder via FTP?

Make sure you are not confusing the "database" and the "forum code"?  The "database" is a single file, the one and only MDB file, and the "forum code" is the rest of the ASP, GIF, and JPG files and the folders.  You don't want the users to upload or download or directly touch anything in the same folder as the database.  When you use FTP with the credentials supplied by your host to upload files, you usually start at the highest folder that your host has granted you access, which is usually "above" your web root.

Here's a sample folder structure: