Forum folder security evaluation

I wrote a very simple script that will test the folder security of the basic WWF folder structure. It seems that many people have hosts that don't offer folder permission changes, or the permissions are almost impossible to verify, and having folders that other users on the same server can modify is a hack just waiting for a Turkish Hacker to find it.

Here is a link to the code: http://www.beyondinvestigation.com/biforum/forumsecurity.txt

And a link to the zip'd asp file: http://www.beyondinvestigation.com/biforum/forumsecurity.zip

All it does is attempt to write a new file in each folder of the forum then delete that file. To use it, you must put the asp file in the root folder of your forum. I could have had the program search for the forum or blindly test every folder it could find, but I don't want to build too much power that can be too easily exploited for such a simple task. Some kinds of testing might even be a violation of some acceptable use policies, and I don't want to be responsible for someone else getting booted off their host.

You MUST modify the ASP code by changing the hardcoded password then upload the change to your WWF forum folder. After you copy the ASP file to the forum directory, you MUST change the file name to something other than "forumsecurity.asp". If the filename is not changed or the password is not changed, it will redirect you to Yahoo!. (I don't want this sitting around waiting for hacker spiders to find.)

After all that, open the page in your browser and enter your password into the only field and click submit. It should give you some basic information about your server and a table of the 14 WWF folders with each folder's security setting.

Please let me know if you have any problems or questions. I'm working on additions that will tell you if your MDB is inappropriately still in the default folder and if you haven't removed or renamed the dangerous setup files.

In fact, now that I think about, I think I'll add this to my Forum as a link that shows up when I log in as adminstrator and turn this into an actual MOD.

Sorry for the bump, but I want to ask if anyone has tested the utility and if they results were what was expected.  Also, to inform you that I have made a couple minor changes.  First is a bug fix that causes the root folder of the forum itself to not be tested at all.  Second is a simple test to verify the folder being tested actually exists.  So please download the zip file again to get more accurate test results.

Here is an image of part of the results from the script for one of my sites:

yes ntfs, by rights they shopuld have read only but alot of hosts forget abut them and leave it will fulll read,write permissions.

the only folders that should not be only read only is the uploads folder. and/or you are unable to add the database outside the root folder and in which case the database folder also.

it is advisable ot have the database outside the root folder,

bhal007, your host's response is probably pretty typical. They are confusing "means" with "permission". As a webmaster, we must assume that a hacker will eventually find a means to upload files. When that happens, it may be only permissions that protect your site.

Generally speaking, the forum and all file accesses, whether HTML, JPG, GIF, or ASP, are served in the NT user context of the anonymous web user. When the IIS process attempts to do anything on the server, it's doing it on behalf of the anonymous web user. It's good for the integrity of your files that each site sharing the same server has its own unique user account. That's an important step. But, the anonymous web user on all sites is also a member of the "Everyone" group. And the default permissions on the c:\, c:\windows\, and c:\windows\system32\ folders allow full control by "Everyone". Some hosts wrongly assume that those folders are safe because a web user can only browse folders defined by IIS as web folders.

That's a very dangerous assumption, because it's entirely not true. No web browser could enter "www.somedomain.com/c:\windows\system32\" to produce a list of files in that folder. But, there are some very dangerous hacker tools out there that do just that. I've used such a hacker utility in the form of a single ASP file to upload files to a host's c:\windows\system32\ folder (with their permission). By having appropriate permissions set on your folders, your site would probably be up and running in a few days after the host gets their server running again.

I would respond to your host with a thanks for their advice, but you would like to have the permissions on all folders except the uploads folder in your webspace set to "Read Only" for the anonymous web user account. If they won't do it, I would consider looking for another host who will. The best is a host that lets you set permissions yourself. There are probably several users here who can recommend a such a host.