StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
13172028
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
3
CommunityOwnedDate
CreationDate
2012-11-01T06:26:04.370
FavoriteCount
0
LastActivityDate
2012-11-01T06:32:11.937
LastEditDate
2017-05-23T11:55:56.487
LastEditorUserId
-1
OwnerUserId
159270
ParentId
13169589
PostTypeId
2
Score
1
ViewCount
0
LastEditorDisplayName
text
Body
The main problem is to been able to upload a script, an aspx page, in this directory with the photo files, and runs it. Here is one case: <a href="https://stackoverflow.com/questions/4288362/ive-been-hacked-evil-aspx-file-uploaded-called-aspxspy-theyre-still-trying">I've been hacked. Evil aspx file uploaded called AspxSpy. They're still trying. Help me trap them‼</a> The solution to that is to add this extra <code>web.config</code> file on the directories that allow to upload files and not permit to run any aspx page. Also double check to allow only extensions that you permit and not allow to change that on the file name, if they have the opportunity to make rename. <pre><code><configuration> <system.web> <authorization> <deny users="*" /> </authorization> </system.web> </configuration> </code></pre> Also on the directories that you allow to upload files, do not permit to run any other script like simple asp, or php or exe, or anything. <h2>general speaking</h2> All your pages have permissions to run and manipulate many things on the server. What you give now is the ability of <code>write</code> on some directories, also by using some aspx page. The asp.net now have one more extra permission to write files there, on the photo folder. Also note here, that you asp.net page have this control, not the user. What you do there with your code can write on this directories, so must be carefuller there to double check where you write and not allow any other directories, not allow the user to manipulate the directory that can be written to. So this is the weak link. To been able to upload more script that can take control of the server, at least the part that can be access by the asp.net user of this pool.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POWeb-enabled file storage and security implications of giving delete permission to IIS_IUSRS
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USAristos
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.