Re: IIS 6.0 on Windows Server 2003
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/24/04
- Previous message: tim: "Re: Executing a locally installed program in IIS 6"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: IIS 6.0 on Windows Server 2003"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: IIS 6.0 on Windows Server 2003"
- Reply: anonymous_at_discussions.microsoft.com: "Re: IIS 6.0 on Windows Server 2003"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 23 Jul 2004 18:40:21 -0700
If PHP insists on using CMD.EXE to execute the shell() command on the
server, then no, you have no choice -- you must give read permissions to the
web-authenticated user (it sounds like you are only using anonymous) to
CMD.EXE.
At this point, this would be a security vulnerability caused by PHP. IIS6
is simply the messenger in making this decision explicit.
Some alternatives you can look into -- try to invoke the CreateProcess Win32
API function from PHP to directly invoke and execute zipcode.exe (no
requirement on CMD.EXE) -- or try to use case #3 and cause IIS to directly
invoke zipcode.exe and send its data back to the browser (you'll want to use
something like ServerSideIncludes to place formatting before/after this data
blob).
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // <anonymous@discussions.microsoft.com> wrote in message news:305901c470e3$8cf57480$a301280a@phx.gbl... Yes my case is like #2 ----------- Allow the user to browse to a web page, which executes zipcode.exe on the server, and the web page formats the output and returns it to the browser as a web page. This requires Web Service Extension for the script engine hosting the web page (but NOT needed for zipcode.exe -- since IIS directly executes the web page, which indirectly executes zipcode.exe). --------- When i visitor browses http://mysite.com/lookup.php?zipcode=03791 The lookup.php page take the input var of 03791 and passes it off to the zipcode.exe (a commandline module for windows) then the results are sent back to the php page to be used to look up information. So basicly zipcode.exe a command line tool that returns a result based on the var's passed. This tool works in my exsisting IIS 5 web site application in my windows 2000 server. We are upgrading a new server that is running windows 2003 server with IIS 6. I have IIS and PHP 4 running and ALL of my php pages are running fine except the ones that call zipcode.exe I have read the if I give execute permissions to %SystemRoot%/System32/cmd.exe for the user IUSR_sytemname then the shell command will work. I'm reluctant to give acces rights to the IUSR_sytemname becuse of security reasons. Is their any workaround other than giving access rights to the command line? Thanks >-----Original Message----- >what's the error msgs ? >http status in IIS log file ? > > >-- >Regards, >Bernard Cheah >http://www.tryiis.com/ >http://support.microsoft.com/ >http://www.msmvps.com/bernard/ > > > >"tim" <timg@russound.com> wrote in message >news:0a1e01c46e72$fbe3bd70$a601280a@phx.gbl... >> I have looked at the MIME Types and .EXE is listed as: >> application/octet-stream with NO luck... >> >> >> >> >-----Original Message----- >> >I am also experience the similar problems >> > >> >I have a zip code look up tool that runs in a web page >> and >> >calls zipcode.exe and passes a zip code to it then >> >displays the zip code with X radius >> >For example: >> >From a command prompt: >> >C:\ zipcode.exe 03852 5 >> >03853 >> >03854 >> >03855 >> >03856 >> >03857 >> > >> >I call this script in my web page and pass the zip code >> >and radius as variables and it WORKS in IIS 5 >> > >> >I have looked at the MIME Types and .EXE is listed as: >> >application/octet-stream >> > >> >Now What? >> > >> > >> >>-----Original Message----- >> >>I found the answer: >> >> >> >>If you are using IIs 6.0 (supplied with Windows 2003), >> >IIS >> >>serves only files with extensions registered in its MIME >> >>types list. To ensure that IIS serves the requested >> >files, >> >>either add each extension used by those files or a >> >>wildcard (.*) to the list. To do this, find the top- >> level >> >>web directory, open the properties pages and click the >> >>HTTP Headers tab. Then selet MIME types and add the >> >>extensions, mapping them to MIME type 'application/octet- >> >>stream'. >> >> >> >>Thanks, >> >> >> >>Steve Cox >> >>>-----Original Message----- >> >>>What do you mean "it broke"? What happens now when you >> >>click a link? >> >>> >> >>>Cheers >> >>>Ken >> >>> >> >>> >> >>>"Steve Cox" <anonymous@discussions.microsoft.com> wrote >> >>in message >> >>>news:28d4b01c46538$0a2d6e60$a601280a@phx.gbl... >> >>>: I need to understand if I can launch a desktop >> >installed >> >>>: application from a webpage hosted on IIS 6.0? I have >> >>this >> >>>: working on IIS 5.0, however it broke after upgrading. >> >In >> >>>: IIS 5.0 it was simple, just by adding a file >> >association >> >>>: on the desktop the web link just fires off the local >> >>>: application. It simplifies the use by plant floor >> >>>: operators that use of our applications. >> >>>: >> >>>: Any assistance is appreciated. >> >>>: >> >>>: Thanks, >> >>>: >> >>>: Steve Cox >> >>>: >> >>> >> >>> >> >>>. >> >>> >> >>. >> >> >> >. >> > > > >. >
- Previous message: tim: "Re: Executing a locally installed program in IIS 6"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: IIS 6.0 on Windows Server 2003"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: IIS 6.0 on Windows Server 2003"
- Reply: anonymous_at_discussions.microsoft.com: "Re: IIS 6.0 on Windows Server 2003"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
