[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Frontpage Extensions Remote Command Execution
- To: full-disclosure@lists.netsys.com
- Subject: RE: [Full-Disclosure] Frontpage Extensions Remote Command Execution
- From: "mattmurphy@kc.rr.com" <mattmurphy@kc.rr.com>
- Date: Wed, 12 Nov 2003 16:32:29 -0500
"Geo" <geoincidents@getinfo.org> writes:
>No it's not, IWAM is Web Applications MANAGER account you were thinking of
>IUSR perhaps? This is not guest. This account can change websites so in a
>multi host environment this level of access will allow a compromise of
>every website on the server.
You're flat out wrong on this point. I have IIS installed on the machine
that I write from now (firewalled to LAN). IWAM is a GUEST. Guests are
members of USERS. And if you read MSDN's documentation, out-of-process
applications are *not* allowed metabase access in any way shape or form.
The metabase file's permissions are restricted to Administrators only.
Looking at the description of the IWAM_machinename account on my system, it
is listed as the "Launch Process Account". IWAM has *no* privileges other
than those explicitly granted to Guests, Users, or Everyone.
The *only* way that a process running as IWAM can access the metabase is if
an Administrator authenticates to IIS and it uses that user's account as
its impersonation token. In any case, that is specific to the thread
processing that request.
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html