Prev: IIS 7 and web.config for classic ASP
Next: how to display a message in html when there is no data by using javal scripts
From: Andyza on 30 Sep 2009 09:32
I'm using code similar to the code below to write to a text file on my
web server (IIS 6 & Win2k3).

strFileName = Server.Mappath("Test.txt")
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFileName,8,True)
objFile.WriteLine "Hello World"
objFile.Close
Set objFile = nothing
Set objFSO = nothing

In order for thsi script to work the Internet Guest account (IUSR)
needs to have Write permissions. For obvious security reasons we don't
really want to allow this. Apart form giving IUSR write access, is
there any other way get the script to be able to write to the text
file?

Thanks
From: Bob Barrows on 30 Sep 2009 09:51
Andyza wrote:
> I'm using code similar to the code below to write to a text file on my
> web server (IIS 6 & Win2k3).
>
> strFileName = Server.Mappath("Test.txt")
> Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
> Set objFile = objFSO.OpenTextFile(strFileName,8,True)
> objFile.WriteLine "Hello World"
> objFile.Close
> Set objFile = nothing
> Set objFSO = nothing
>
> In order for thsi script to work the Internet Guest account (IUSR)
> needs to have Write permissions. For obvious security reasons we don't
> really want to allow this. Apart form giving IUSR write access, is
> there any other way get the script to be able to write to the text
> file?
>
Cause the code to run under a different security context? In IIS, you
could do this by using impersonation. But the effect would be the same,
really. If you are doing this in ASP server-side code then the same
security hole would be opened. All you can really do is mitigate the
potential damage by only assigning Write permissions for a specific
folder.
--
HTH,
Bob Barrows


 | 
Pages: 1
Prev: IIS 7 and web.config for classic ASP
Next: how to display a message in html when there is no data by using javal scripts