FAQ  |  Search  |  Register  |  Profile  |  Log in to check your private messages  |  Log in
Directories being created when calling asp script

 
Post new topic   Reply to topic    Aprelium Forum Index -> Classic ASP
View previous topic :: View next topic  
Author Message
wizzer
-


Joined: 05 May 2003
Posts: 10
PostPosted: Tue May 06, 2003 12:47 pm    Post subject: Directories being created when calling asp script Reply with quote
First off...thanx for Abyss :D It rocks.

Second..my 1st attempt at using ASP succeeded. I installed a script that shows the contents of a server that is browseable - but whenever I call the script, it makes a series of directories within the "htdocs" folder. I've attached a screen shot to show you.

I've checked it out and it seems to be the script calling that creates the dirs...so I was hoping someone here could help me why it's doing this and is it a security risk?



Code:

<%Response.Expires=0%>
<html>
<STYLE TYPE="text/css">
<!--
A:link {text-decoration: none; }
A:visited {text-decoration: none;}
A:active {text-decoration: none;color:red; }
A:hover   {text-decoration:underline;color:red;}
-->
</STYLE>
<body bgcolor="white"><center>
<Caption><b>FTP File Index</caption><BR>
Current Folder: </b>
<%



Dim curr_dir

curr_dir = Request.QueryString("dir")
Set obj = CreateObject("ListFiles.Files")

obj.AspFile = "list.asp"

obj.RootFolder = "d:\Guest"

obj.RootVirtualFolder = ""

obj.Href = "off"

obj.FPsupport = "off"

obj.CurrentFolder = curr_dir

obj.TargetLinks = ""

obj.ImageOpenFolder = "open.gif"

obj.ImageCloseFolder = "close.gif"

obj.ImageFiles = "doc.gif"

obj.AdvanceView = "on"

obj.CtrlRedirFile = ""

obj.setTableTag = "<table border=1 bordercolordark='#464646' cellspacing=0 bgcolor='#dcdcdc'>"

obj.setNameColName = "<b>Name</b>"

obj.setNameColSize = "&nbsp;<b>Size</b> <i>(bytes)</i>"

obj.setNameColLastMod = "&nbsp;<b>Last Modified</b>"

obj.setDivider = "<hr color='#b22222'>"

obj.Runme()

res = obj.Result

If curr_dir = "" then
   curr_dir2 = "\"
else
   curr_dir2 = curr_dir
end if

Response.Write "<b>" & curr_dir2 & "</b><p>"
Response.Write res

Set obj = Nothing
%>
</BODY>
</HTML>
Back to top View user's profile Send private message Visit poster's website MSN Messenger
vbgunz
-


Joined: 02 Feb 2003
Posts: 615
Location: Florida
PostPosted: Tue May 06, 2003 5:56 pm    Post subject: Reply with quote
That script looks really fishy and I'd like to know its purpose... It seems to be duplicating your system files which can hold some very private information... Not sure if its just creating an empty directory mirror or if its actually syncronizing with your %systemdrive%... Looks funny...

Just find out the purpose of the script and see if its actually fulfilling its purpose otherwise it doesn't look right...
_________________
Victor B. Gonzalez
http://aeonserv.com
Back to top View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
wizzer
-


Joined: 05 May 2003
Posts: 10
PostPosted: Tue May 06, 2003 6:15 pm    Post subject: Reply with quote
@vbgunz...

The script calls the directory structure of "D:\Guest" and displays it in a browseable type page. If I click on one dir, it goes into the sub-dirs, etc.

The script is working great and doing exactly what it's supposed to, except for making that series of dirs under htdocs.

It was a downloadable script, so I'm kinda curious about the Write statements towards the bottom of it.

I haven't been able to gain access to my system drive and nobody else has either..maybe time to look for another script that does the same purpose.

Thanx..
Back to top View user's profile Send private message Visit poster's website MSN Messenger
vbgunz
-


Joined: 02 Feb 2003
Posts: 615
Location: Florida
PostPosted: Tue May 06, 2003 7:55 pm    Post subject: Reply with quote
It might be doing exactly as intended, just I was thinking that if you really wish to just browse and not write to the C:\account you can probably create an alias to your C:\account instead of trusting a third party script to do it... Also I thought it was just strange to have a script mirror and write that account into your htdocs directory... It could be working as intended as I do not know what its intention is but an immediate look at it seemed wierd...

I hope it works as intended and in a non malicous way... Good luck :)
_________________
Victor B. Gonzalez
http://aeonserv.com
Back to top View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
markgarrigan
-


Joined: 10 Jun 2003
Posts: 2
PostPosted: Thu Jun 12, 2003 6:18 am    Post subject: Reply with quote
this exact same thing is happening for me too?

is it something i need to worry about security wise....
Back to top View user's profile Send private message
os17fan
-


Joined: 21 Mar 2003
Posts: 531
Location: USA
PostPosted: Thu Jun 12, 2003 1:54 pm    Post subject: Reply with quote
I can't believe you all never really seen these c:\ drive folder view scripts even I myself can't trust it , go to your domain for your asp folder

http://yourdomain/ahtml/ and then click on samples at the bottom and you will find a folder view ASP script that lets you view your entire c:\ drive but I deleted my samples folder so people can't see my hard drive


THAT SCRIPT LOOKS VERY DANGEROUS TO USE ESPECIALY BECAUSE IT SHOWS YOUR ENTIRE HARD DRIVE TO YOUR VISITERS 8)
_________________
This web server is the best !
Back to top View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> Classic ASP All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group