Re: IIS 6.0 on Windows Server 2003
anonymous_at_discussions.microsoft.com
Date: 07/27/04
- Next message: PaulT: "Trimming down App. Mappings in IIS 6.0"
- Previous message: Tim: "Re: Executing a locally installed program in IIS 6"
- In reply to: David Wang [Msft]: "Re: IIS 6.0 on Windows Server 2003"
- Next in thread: David Wang [Msft]: "Re: IIS 6.0 on Windows Server 2003"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 27 Jul 2004 08:11:15 -0700
Thanks for the follow up.
I agree that this is a security hole and am looking into
other alernitives.
Thanks
>-----Original Message-----
>If PHP insists on using CMD.EXE to execute the shell()
command on the
>server, then no, you have no choice -- you must give read
permissions to the
>web-authenticated user (it sounds like you are only using
anonymous) to
>CMD.EXE.
>
>At this point, this would be a security vulnerability
caused by PHP. IIS6
>is simply the messenger in making this decision explicit.
>
>Some alternatives you can look into -- try to invoke the
CreateProcess Win32
>API function from PHP to directly invoke and execute
zipcode.exe (no
>requirement on CMD.EXE) -- or try to use case #3 and
cause IIS to directly
>invoke zipcode.exe and send its data back to the browser
(you'll want to use
>something like ServerSideIncludes to place formatting
before/after this data
>blob).
>
>--
>//David
>IIS
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>//
><anonymous@discussions.microsoft.com> wrote in message
>news:305901c470e3$8cf57480$a301280a@phx.gbl...
>Yes my case is like #2
>-----------
>Allow the user to browse to a web page, which executes
>zipcode.exe on the server, and the web page formats the
>output and returns it to the browser as a web page. This
>requires Web Service Extension for the script engine
>hosting the web page (but NOT needed for zipcode.exe --
>since IIS directly executes the web page, which indirectly
>executes zipcode.exe).
>---------
>
>When i visitor browses
>http://mysite.com/lookup.php?zipcode=03791
>The lookup.php page take the input var of 03791 and passes
>it off to the zipcode.exe (a commandline module for
>windows)
>
>then the results are sent back to the php page to be used
>to look up information.
>
>So basicly zipcode.exe a command line tool that returns a
>result based on the var's passed.
>
>This tool works in my exsisting IIS 5 web site application
>in my windows 2000 server.
>
>We are upgrading a new server that is running windows 2003
>server with IIS 6.
>
>I have IIS and PHP 4 running and ALL of my php pages are
>running fine except the ones that call zipcode.exe
>
>I have read the if I give execute permissions to
>%SystemRoot%/System32/cmd.exe for the user IUSR_sytemname
>then the shell command will work.
>I'm reluctant to give acces rights to the IUSR_sytemname
>becuse of security reasons.
>
>Is their any workaround other than giving access rights to
>the command line?
>
>Thanks
>>-----Original Message-----
>>what's the error msgs ?
>>http status in IIS log file ?
>>
>>
>>--
>>Regards,
>>Bernard Cheah
>>http://www.tryiis.com/
>>http://support.microsoft.com/
>>http://www.msmvps.com/bernard/
>>
>>
>>
>>"tim" <timg@russound.com> wrote in message
>>news:0a1e01c46e72$fbe3bd70$a601280a@phx.gbl...
>>> I have looked at the MIME Types and .EXE is listed as:
>>> application/octet-stream with NO luck...
>>>
>>>
>>>
>>> >-----Original Message-----
>>> >I am also experience the similar problems
>>> >
>>> >I have a zip code look up tool that runs in a web page
>>> and
>>> >calls zipcode.exe and passes a zip code to it then
>>> >displays the zip code with X radius
>>> >For example:
>>> >From a command prompt:
>>> >C:\ zipcode.exe 03852 5
>>> >03853
>>> >03854
>>> >03855
>>> >03856
>>> >03857
>>> >
>>> >I call this script in my web page and pass the zip
code
>>> >and radius as variables and it WORKS in IIS 5
>>> >
>>> >I have looked at the MIME Types and .EXE is listed as:
>>> >application/octet-stream
>>> >
>>> >Now What?
>>> >
>>> >
>>> >>-----Original Message-----
>>> >>I found the answer:
>>> >>
>>> >>If you are using IIs 6.0 (supplied with Windows
2003),
>>> >IIS
>>> >>serves only files with extensions registered in its
>MIME
>>> >>types list. To ensure that IIS serves the requested
>>> >files,
>>> >>either add each extension used by those files or a
>>> >>wildcard (.*) to the list. To do this, find the top-
>>> level
>>> >>web directory, open the properties pages and click
the
>>> >>HTTP Headers tab. Then selet MIME types and add the
>>> >>extensions, mapping them to MIME
>type 'application/octet-
>>> >>stream'.
>>> >>
>>> >>Thanks,
>>> >>
>>> >>Steve Cox
>>> >>>-----Original Message-----
>>> >>>What do you mean "it broke"? What happens now when
>you
>>> >>click a link?
>>> >>>
>>> >>>Cheers
>>> >>>Ken
>>> >>>
>>> >>>
>>> >>>"Steve Cox" <anonymous@discussions.microsoft.com>
>wrote
>>> >>in message
>>> >>>news:28d4b01c46538$0a2d6e60$a601280a@phx.gbl...
>>> >>>: I need to understand if I can launch a desktop
>>> >installed
>>> >>>: application from a webpage hosted on IIS 6.0? I
>have
>>> >>this
>>> >>>: working on IIS 5.0, however it broke after
>upgrading.
>>> >In
>>> >>>: IIS 5.0 it was simple, just by adding a file
>>> >association
>>> >>>: on the desktop the web link just fires off the
>local
>>> >>>: application. It simplifies the use by plant floor
>>> >>>: operators that use of our applications.
>>> >>>:
>>> >>>: Any assistance is appreciated.
>>> >>>:
>>> >>>: Thanks,
>>> >>>:
>>> >>>: Steve Cox
>>> >>>:
>>> >>>
>>> >>>
>>> >>>.
>>> >>>
>>> >>.
>>> >>
>>> >.
>>> >
>>
>>
>>.
>>
>
>
>.
>
- Next message: PaulT: "Trimming down App. Mappings in IIS 6.0"
- Previous message: Tim: "Re: Executing a locally installed program in IIS 6"
- In reply to: David Wang [Msft]: "Re: IIS 6.0 on Windows Server 2003"
- Next in thread: David Wang [Msft]: "Re: IIS 6.0 on Windows Server 2003"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
