File System Object
Hi All, I see many familiar names from the old SkyPortal site; a site I still access regularly to find answers to my questions.
Sadly, I have a problem that is not specifically SkyPortal but is classic ASPand I'm hoping I may find some help here.....
My hosting company has recently been attacked and that attach utilised FSO to write index files all over the server. Their solution included disabling FSO.
I'm no programmer but it seems to me that FSO is truely embedded within SkyPortal so a couple of questions...
1. Has anyone else encountered this vulnerability utilising FSO?
2. Is there a way around using FSO in SkyPortal - asuming this vulnerability can only be pluggd by disabling FSO.
TIA
Ian
Sorry Flappy, I didn't mean to suggest there was a fault with the SkyPortal code. I understand there was a hack on the server and the hacker made use of FSO to write malicious files to every directory with write permissions. The host is now saying they cannot switch FSO back on as it presents a security breech. I'll PM the details and let you decide if there is any information that could be useful to post back here.
Thanks
There are many places in SkyPortal where querystring is NOT checked. Practically on every page in Admin options. The reason Tom had for this, if I remember correctly, was that admin-pages was/is not public and if the admin user and password was set to something safe, everything should be ok anyway.
Furthermore, even if the core and all the modules that Tom released is safe, there is always the matter of other modules from other developers. I'm not saying they aren't safe, they might be, but they might also not be since they are not tested for it. And that is solely up to the developer that wrote that code. If he/she was an experienced developer knowing that it's necessary to check all querystrings then everything should be fine with those modules.
Ditto what Maggie said. The justification for the admin section was that you are required to re-login to ensure security. Since there was no established QA process for 3rd party modules, and since Tom was the sole gatekeeper, the release of a module simply meant activating the download link. There was never any guarantee of security with non-SP modules.
Having said that, SP is reasonably tight. I read through the forums for your host and the server-wide exploitation is unfortunately not a new scenario. I've seen it pop up on a number of hosts. And, in each case, the reaction of the host is to simply disable FSO instead of instituting user-level security in IIS. This is probably because most hosts these days are simply resellers on larger hosts servers. Therefore, there is no control over system wide permissions (ie IIS settings). The only control a 'host' has is the ability to enable/disable functionality for all of their accounts at once.
I still run the SkyPortal site software and i have had many attempts to hack my site but all were not successful, i feel my IIS and the settings in SP are tight as was mentioned in one of the replies here. i host my own site and a couple more and so far so good and still have FSO available, so it may be that they had a hole some where and they blamed it on FSO. this is just my opinion
It was my impression that Tom had implemented appropriate querystring filters that were used throughout the site. I don't recall any vulnerabilities with any specific pages allowing untrusted access to the FSO object.
However, I don't know who your host is and what their policy is on permissions granted to folders in your web root. It's entirely possible that it wasn't your account that got hacked, but someone else's who has FSO exposed.
PM me the name of your host and the URL of your site, and I'll do some digging.
"Once in a while you get shown the light
in the strangest of places if you look at it right."
-Garcia/Hunter