Sharing Too Much
The Dangers of Hosting on Windows NT
By Chuck Newman
I often maintain my Web sites by accessing an ASP script that lets me work remotely with files. I call the script my Windows Based Web Explorer (WBWE). With WBWE, I don't need to use telnet; I can just log in from any computer with a Web browser, and start modifying files on the Web server. The interface for WBWE is shown in
Figure 1. The GUI is similar to that of my local copy of Windows Explorer except, like I said, I'm using a Web browser and the application resides on the same server as the files I want to access.
At the heart of my application is the File System Object (FSO). This object performs a number of tasks in ASP scripts, such as listing, reading, and writing files on the server's hard drives. Albeit useful, FSO can leave your site and its databases wide open to hackers if misconfigured.
FSO is one of a group of objects in the Scripting Type library, Scrrun.dll, that is included with the Microsoft Windows NT 4.0 Option Pack and IIS 4. Many hosting companies, including the one I was using on the day I gained access to an entire hard drive's worth of Web sites, use such a setup for their shared NT servers. The fact that the servers are shared is important, because it means that a number of Web sites are often hosted off one computer. Unfortunately, most hosting companies haven't properly secured their shared systems, and so any client who knows how to access FSO can list, read, or write to files in any directory on the server's hard drives -- in other words, a person like me can get at proprietary source code and credit card databases that reside on another Web site.
