We really could use more detail about what you are saying/asking here. What
version of IIS are you talking about? Also, what read/write permissions are you
talking about? Do you mean the settings in IIS or the actual NTFS permissions?
One caution--allowing WebDAV access to your website and giving the anonymous
user write or even read permissions can be very dangerous.
Mark Burnett
On Tue, 13 Dec 2005 14:42:17 +0200, Ömer Faruk Özer wrote:
Hi,
"Script source access" permission in IIS allows users to see source
code of scripts. This is achieved by sending "translate: f" WebDAV
header after GET method.
Here is an example you can try with telnet:
GET /login.asp HTTP/1.0
translate: f
If following conditions are met you should see the source code of
the script instead of its processed output.
1. WebDAV must be enabled. Because translate: f is a WebDAV header
2. Script source access must be checked
3. NTFS DACL of the login.asp must be IUSR_machinename:WRITE (if
Anonymous authentication is in place)
Is there anybody who knows why just READ right is not enough?
Omer Faruk Ozer
Researcher
National Research Institute of Electronics and Cryptology P.O. Box
74, 41470 Gebze, KOCAELI, TURKEY
Phone : +90 262 648 16 21
Fax : +90 262 648 11 00
e-mail : faruk.ozer@uekae.tubitak.gov.tr
--------------------------------------------------------------------
------- ------------------------------------------------------------
---------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
