Forum folder security evaluation
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=17286
Printed Date: 17 April 2026 at 11:29am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Forum folder security evaluation
Posted By: JJLatWebWiz
Subject: Forum folder security evaluation
Date Posted: 17 November 2005 at 5:07pm
|
I wrote a very simple script that will test the folder security of the basic WWF folder structure. It seems that many people have hosts that don't offer folder permission changes, or the permissions are almost impossible to verify, and having folders that other users on the same server can modify is a hack just waiting for a Turkish Hacker to find it.
Here is a link to the code: http://www.beyondinvestigation.com/biforum/forumsecurity.txt - http://www.beyondinvestigation.com/biforum/forumsecurity.txt And a link to the zip'd asp file: http://www.beyondinvestigation.com/biforum/forumsecurity.zip - http://www.beyondinvestigation.com/biforum/forumsecurity.zip All it does is attempt to write a new file in each folder of the forum then delete that file. To use it, you must put the asp file in the root folder of your forum. I could have had the program search for the forum or blindly test every folder it could find, but I don't want to build too much power that can be too easily exploited for such a simple task. Some kinds of testing might even be a violation of some acceptable use policies, and I don't want to be responsible for someone else getting booted off their host. You MUST modify the ASP code by changing the hardcoded password then upload the change to your WWF forum folder. After you copy the ASP file to the forum directory, you MUST change the file name to something other than "forumsecurity.asp". If the filename is not changed or the password is not changed, it will redirect you to Yahoo!. (I don't want this sitting around waiting for hacker spiders to find.) After all that, open the page in your browser and enter your password into the only field and click submit. It should give you some basic information about your server and a table of the 14 WWF folders with each folder's security setting. Please let me know if you have any problems or questions. I'm working on additions that will tell you if your MDB is inappropriately still in the default folder and if you haven't removed or renamed the dangerous setup files. In fact, now that I think about, I think I'll add this to my Forum as a link that shows up when I log in as adminstrator and turn this into an actual MOD. ------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |
Replies:
Posted By: dpyers
Date Posted: 17 November 2005 at 8:03pm
What a great idea 
------------- 
Lead me not into temptation... I know the short cut, follow me. |
Posted By: JJLatWebWiz
Date Posted: 22 November 2005 at 11:35am
|
Sorry for the bump, but I want to ask if anyone has tested the utility and if they results were what was expected. Also, to inform you that I have made a couple minor changes. First is a bug fix that causes the root folder of the forum itself to not be tested at all. Second is a simple test to verify the folder being tested actually exists. So please download the zip file again to get more accurate test results. Here is an image of part of the results from the script for one of my sites:
As you can see the new CAPTCHA and security_images folders are not found because I'm still using an older version of WWF.
------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |
Posted By: bhall007
Date Posted: 23 November 2005 at 4:49pm
| What are the correct permissions that should be set on the forum folder? Are these NTFS permissions? I assume it would be anonymous users have read-only. Thanks! |
Posted By: dj air
Date Posted: 24 November 2005 at 5:07am
|
yes ntfs, by rights they shopuld have read only but alot of hosts
forget abut them and leave it will fulll read,write permissions. the only folders that should not be only read only is the uploads folder. and/or you are unable to add the database outside the root folder and in which case the database folder also. it is advisable ot have the database outside the root folder, |
Posted By: bhall007
Date Posted: 24 November 2005 at 1:42pm
|
I contacted my hosting service regarding removing write access for
anonymous users and they responded with the following. He claims
that it's necessary to have write access: "The issue of write access by anonymous user is a function of your forum software. There are methods of access to consider from a ACL's point of view. One is the IIS user that is granted to a user when they access your fourm software. That user does not have write access through IIS. However, your forum software runs as this same user and does have access when not running through IIS meaning that your forum software is executing directly on the server. That user does have write access. Therefore if the user is able to write files via your forum then they do have write access. This is required in order for your forum software to write its data files. However, again, a typical user using a web browser does not have access to write files. Additionally, your website has one user while other websites have their own unique users. Each of those users only have access to their subdirectory structure that is their own website. The same is true of your FTP access. The solution to your concerns is to not allow anonymous access to your forum." |
Posted By: JJLatWebWiz
Date Posted: 26 November 2005 at 1:28am
|
bhal007, your host's response is probably pretty typical. They are confusing "means" with "permission". As a webmaster, we must assume that a hacker will eventually find a means to upload files. When that happens, it may be only permissions that protect your site.
Generally speaking, the forum and all file accesses, whether HTML, JPG, GIF, or ASP, are served in the NT user context of the anonymous web user. When the IIS process attempts to do anything on the server, it's doing it on behalf of the anonymous web user. It's good for the integrity of your files that each site sharing the same server has its own unique user account. That's an important step. But, the anonymous web user on all sites is also a member of the "Everyone" group. And the default permissions on the c:\, c:\windows\, and c:\windows\system32\ folders allow full control by "Everyone". Some hosts wrongly assume that those folders are safe because a web user can only browse folders defined by IIS as web folders. That's a very dangerous assumption, because it's entirely not true. No web browser could enter "www.somedomain.com/c:\windows\system32\" to produce a list of files in that folder. But, there are some very dangerous hacker tools out there that do just that. I've used such a hacker utility in the form of a single ASP file to upload files to a host's c:\windows\system32\ folder (with their permission). By having appropriate permissions set on your folders, your site would probably be up and running in a few days after the host gets their server running again. I would respond to your host with a thanks for their advice, but you would like to have the permissions on all folders except the uploads folder in your webspace set to "Read Only" for the anonymous web user account. If they won't do it, I would consider looking for another host who will. The best is a host that lets you set permissions yourself. There are probably several users here who can recommend a such a host. ------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |
Posted By: bhall007
Date Posted: 26 November 2005 at 12:16pm
|
So, is the administrator of my hosting provider correct in that anonymous should
have write access in the forum folder? If anonymous users only
have
read-only access, does the forum software run as another user on a
lower level when it actually writes changes to the database, etc?
If anonymous users are denied write access, then how can they write
changes, etc.? What are the ACL NTFS permissions that should be
granted to anonymous? (i.e., Read...) |
Posted By: dpyers
Date Posted: 27 November 2005 at 1:10pm
I think you're getting confused between anonymous user and your script
user. In a normal shared hosting environment, there's three windows
accounts involved in this discussion...
Some web hosts have utilities that allow myaccount to change directory permissions for IUSR_myaccount. The other hosts require that you submit a trouble ticket and they change the permissions. As JJLatWebWiz noted, IUSR_myaccount should only have read permissions by default. If write permissions are needed for a specific directory, either a myaccount utility or the web host needs to set them to allow the IUSR_myaccount user (your script) to write. So why do some web host allow read/write permissions for IUSR_myaccount by default? Typically, it's done for financial reasons rather than security reasons.
P.S. - I've got three hacker programs that do what JJLatWebWiz described - one of them I wrote in VB2 using the windows api about 10 years ago so it's not like this is a new security risk. -------------
Lead me not into temptation... I know the short cut, follow me. |
Posted By: JJLatWebWiz
Date Posted: 27 November 2005 at 8:18pm
|
bhall007, your administrator is not correct.
But first, to be clear, when I say "anonymous user" or "anonymous web user", I mean the "IUSR_myaccount" (the actual account name could be anything) that dpyers is talking about. I do not mean the anonymous NT "Guest" account. With inconsequential exceptions, all actions taken by IIS to satisfy a request from a web browser are done on behalf of the "IUSR_myaccount" NT account. The only folders in which the anonymous web user MUST have write permission are the folders in which the Access MDB is stored and the uploads folder, if you allow uploads. Otherwise, "Read-Only" is best. No "writes" are taking place in any other folders by the anonymous web user, so the extra security is just that, "extra security". As far as the hacker utilities that dpyers is talking about, I think there are a couple things that make today's hacker utilities more dangerous than 10 years ago, probably most notably is the ADODB.Stream that lets hackers upload files without counting on other COM objects like ASPUpload. ------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |
Posted By: bhall007
Date Posted: 28 November 2005 at 10:17am
|
Thanks JJLatWebWiz and dypers for the great info. I'll pass that
along to my web host and hope that we get it all tied up. Thanks! Happy Holidays! |
Posted By: bhall007
Date Posted: 28 November 2005 at 11:10am
|
One last question: If you have the database in another private
folder outside the root web folder (i.e.,
C:\Inetpub\private\Website.com), how can you enable the user to upload
files to the private folder via FTP? Can you setup a virtual
folder/shortcut in FTP that will allow a user to upload to that folder
in FTP, but that is inaccessible through HTTP? Or will this have
to be done by the administrator directly? Thanks! |
Posted By: dj air
Date Posted: 29 November 2005 at 2:12pm
|
ususally you have a set up where you have Username l l -- website (folder) l l --Private (folder) yu ussually login to ftp at username level so see both directories. |
Posted By: dpyers
Date Posted: 29 November 2005 at 5:30pm
|
Most webhosts are set up the way dj air said. The problem with allowing users to ftp is that windows hosts don't typically support sub-ftp accounts tthat restrict users to be able to execute ftp only on specific directories. You usually just have one ftp account - which allows ftp to any directory under your Username account in dj airs example. The work-around is to upload via a script which has access to the proper directory and you control the user's access to the upload script by requiring them to login to use it. Unix hosts usually allow sub-ftp. Uploading via a script is no where near as efficient as ftp. Most hosts will limit your uploads via script to a 2Mb file. You can also run into script time-out issues. -------------
Lead me not into temptation... I know the short cut, follow me. |
Posted By: JJLatWebWiz
Date Posted: 29 November 2005 at 6:07pm
|
Make sure you are not confusing the "database" and the "forum code"? The "database" is a single file, the one and only MDB file, and the "forum code" is the rest of the ASP, GIF, and JPG files and the folders. You don't want the users to upload or download or directly touch anything in the same folder as the database. When you use FTP with the credentials supplied by your host to upload files, you usually start at the highest folder that your host has granted you access, which is usually "above" your web root. Here's a sample folder structure: Everything in the wwwRoot folder and all subfolders is accessible directly from a web browser. If you know the name of the file in any of those folders, you can enter it into the browser address line and the web server will probably send it to the browser.
Everything outside the wwwRoot folder is a sibling or parent and the web server provides no direct method to access files therein. Files can be accessed above the web root via scripts or other programmatic objects (assuming the anonymous web user has permission). So, in the example above, logs, privatedb, stats, and uploads (not the same as forum/uploads) can only be accessed via a script. The uploads folder above the web root is in case I would want to enable anonymous FTP. You should NEVER (NEVER, NEVER, NEVER) allow anonymous FTP in ANY web folder.
If your private folder is a sibling or parent of the web root, then that is the best place for you forum's Access MDB. Remember, users are not uploading files to the database.
It would be best to not allow users to FTP files at all. Let web users use only the file upload functionality of WWF.
I hope I understood your questions correctly. ------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |
bhall007 wrote:
Posted By: bhall007
Date Posted: 30 November 2005 at 10:58pm
|
Thanks JJLatWebWiz, dj air and dpyers, and everyone else for the responses. This is just the answer I was looking for. I really appreciate the great info, and I'm going to pass it along and try to implement this setup. So, the IUSR_SiteName "anonymous" account ought to have read/write NTFS permissions on the private and upload (if you're using it) folders, and read on everything else? Thanks! |