Re: Executing a locally installed program in IIS 6

• Previous message: David Wang [Msft]: "Re: Executing a locally installed program in IIS 6"
• In reply to: David Wang [Msft]: "Re: Executing a locally installed program in IIS 6"
• Messages sorted by: [ date ] [ thread ]

Date: Tue, 27 Jul 2004 08:09:04 -0700

Thanks for the follow up.

I agree that this is a security hole and am looking into
other alernitives.

Thanks

>-----Original Message-----
>Hi, I've been on the other thread. This is the problem
with multi-posting,
>Tim. Multiple people on a given problem and not aware of
each other.
>
>At this point, it appears that PHP requires enabling a
security
>vulnerability on Windows Server 2003 in order to function
(its shell()
>function needs CMD.EXE to have weak ACLs and accessible
via IIS -- something
>we explicitly denied with IIS6 on Windows Server 2003).
I gave some
>possible alternatives, but the underlying problem is PHP
needing a security
>vulnerability to "work" without modifications.
>
>--
>//David
>IIS
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>//
>"tim" <tim@discussions.microsoft.com> wrote in message
>news:2ec001c470e4$9fb218c0$a601280a@phx.gbl...
>ok well I guess I was not specific enough in this post. I
>have found another thread that I thought was talking about
>the similar problem and posted in there thinking that they
>were having the same problem. (turns out it was something
>different) "Re: IIS 6.0 on Windows Server 2003."
>
>Howerver Here is the excerpt of the message
>My case is
>-----------
>Allow the user to browse to a web page, which executes
>zipcode.exe on the server, and the web page formats the
>output and returns it to the browser as a web page.
>---------
>
>When a visitor browses
>http://mysite.com/lookup.php?zipcode=03791
>The lookup.php page takes the input var of 03791 and
>passes
>it off to the zipcode.exe (a commandline module for
>windows)
>
>then the results are sent back to the php page to be used
>to look up information.
>
>So basically zipcode.exe a command line tool that returns
>a
>result based on the var's passed.
>
>This tool works in my existing IIS 5 web site application
>in my windows 2000 server.
>
>We are upgrading a new server that is running windows 2003
>server with IIS 6.
>
>I have IIS and PHP 4 running and ALL of my php pages are
>running fine except the ones that call zipcode.exe
>
>I have read the if I give execute permissions to
>%SystemRoot%/System32/cmd.exe for the user IUSR_sytemname
>then the shell command will work.
>I'm reluctant to give access rights to the IUSR_sytemname
>because of security reasons.
>
>Is their any workaround other than giving access rights to
>the command line?
>
>Thanks
>Tim
>
>
>.
>

• Previous message: David Wang [Msft]: "Re: Executing a locally installed program in IIS 6"
• In reply to: David Wang [Msft]: "Re: Executing a locally installed program in IIS 6"
• Messages sorted by: [ date ] [ thread ]