lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: mattmurphy at (
Subject: Frontpage Extensions Remote Command Execution

"Geo" <> writes:

>No it's not, IWAM is Web Applications MANAGER account you were thinking of
>IUSR perhaps? This is not guest. This account can change websites so in a
>multi host environment this level of access will allow a compromise of
>every website on the server.

You're flat out wrong on this point.  I have IIS installed on the machine
that I write from now (firewalled to LAN).  IWAM is a GUEST.  Guests are
members of USERS.  And if you read MSDN's documentation, out-of-process
applications are *not* allowed metabase access in any way shape or form. 
The metabase file's permissions are restricted to Administrators only. 
Looking at the description of the IWAM_machinename account on my system, it
is listed as the "Launch Process Account".  IWAM has *no* privileges other
than those explicitly granted to Guests, Users, or Everyone.

The *only* way that a process running as IWAM can access the metabase is if
an Administrator authenticates to IIS and it uses that user's account as
its impersonation token.  In any case, that is specific to the thread
processing that request.

mail2web - Check your email from the web at .

Powered by blists - more mailing lists