Hi, We(JWNTUG(Japan Windows NT Users Group) Security Working Group) reported MS about a kind of DoS problem on mailroot and ftproot directories of IIS. Those directories(C:\Inetpub\ftproot,\mailroot) are readable and writable for everyone. So we tested following script as C:\inetpub\mailroot\fill.bat :fill copy drop\*.* pickup goto fill This script can be executed by any user and hard disk will be filled with emails soon after some emails come into "drop" directory. We tested also from Terminal Server. It works well. In addition, any user can read and write email in drop folder. We reported MS and they replied as followings.. You're right -- those permissions shouldbe tightened. We're going to add this to the IIS Security Checklist at http://www.microsoft.com/security/products/iis/CheckList.asp, to make sure that customers know that they need to do this. Thanks again for reporting the issue! Regards, Secureat_private ---------------------------------------------------------------- Nobuo Miwa A member of JWNTUG Security Working Group http://www.jwntug.or.jp Special thanks to Hideaki Ihara<iharaat_private> YOKOYAMA Tetsuya <Yokoyama.Tetsuyaat_private>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:13 PDT