On Fri, 18 Jun 1999, Aris Yahnis wrote: > Find a web hosting site,create a fictious account , make a shortcut of a > file you would like to see ex. > c:\winnt\profiles\administrator\ntuser.dat upload the .lnk file to the > web server and then go ask for it. Answer yes to open the file remotely > ( or something like that). > > Now the q: Is it a feature of IIS to follow links? or is it a bug. I am not sure of Microsoft's opinion on this, but here is mine. The ability to follow links should be a feature to be enabled on a per website basis. I currently work very closely with Apache, as it runs on many of my *nix servers. This is something Apache can be configured to do on a global, or per site basis. I find this very useful on sites that I administer when trying to save time or increase functionality. A customer's site will not have this feature enabled because of the security risks, but I don't see why those of us administering the servers should not be able to have some fun :). Of course, the general caveat to the *nix version of this, is that the file to be requested must be readable by the webserver. So files like /etc/shadow could not be displayed in most server configurations, but files like /etc/passwd could be. This is the main reason why customers do not have the ability to use this feature. Maybe the real question is, "Should NT allow the webserver to read files that could cause someone to exploit a security hole?" Or maybe "Should those NT Administrators allow the user IIS run's under to view these files." Just my $0.02. Cheers, Branden R. Williams <brwat_private> Vice President, Systems - NetVitality, Inc. http://www.netvitality.net/ Internet Commerce Specialists
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:17 PDT