Prev: IIS 7 and web.config for classic ASP
Next: how to display a message in html when there is no data by using javal scripts
From: Andyza on 30 Sep 2009 09:32 I'm using code similar to the code below to write to a text file on my web server (IIS 6 & Win2k3). strFileName = Server.Mappath("Test.txt") Set objFSO = Server.CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.OpenTextFile(strFileName,8,True) objFile.WriteLine "Hello World" objFile.Close Set objFile = nothing Set objFSO = nothing In order for thsi script to work the Internet Guest account (IUSR) needs to have Write permissions. For obvious security reasons we don't really want to allow this. Apart form giving IUSR write access, is there any other way get the script to be able to write to the text file? Thanks
From: Bob Barrows on 30 Sep 2009 09:51
Andyza wrote: > I'm using code similar to the code below to write to a text file on my > web server (IIS 6 & Win2k3). > > strFileName = Server.Mappath("Test.txt") > Set objFSO = Server.CreateObject("Scripting.FileSystemObject") > Set objFile = objFSO.OpenTextFile(strFileName,8,True) > objFile.WriteLine "Hello World" > objFile.Close > Set objFile = nothing > Set objFSO = nothing > > In order for thsi script to work the Internet Guest account (IUSR) > needs to have Write permissions. For obvious security reasons we don't > really want to allow this. Apart form giving IUSR write access, is > there any other way get the script to be able to write to the text > file? > Cause the code to run under a different security context? In IIS, you could do this by using impersonation. But the effect would be the same, really. If you are doing this in ASP server-side code then the same security hole would be opened. All you can really do is mitigate the potential damage by only assigning Write permissions for a specific folder. -- HTH, Bob Barrows |