[THIN] Re: OT: Script Gurus?

  • From: "Braebaum, Neil" <Neil.Braebaum@xxxxxxxxxxxxxxxxx>
  • To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
  • Date: Thu, 17 Apr 2003 11:08:57 +0100

Comments inline...

> -----Original Message-----
> From: TheThin [mailto:TheThin@xxxxxxxxxxxxxxxxxxxxx] 
> Sent: 16 April 2003 23:25
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] OT: Script Gurus?
> 
> I am writing a script to edit an INI file on login.  
> Basically, I want to scan a list of directories and if the 
> user has access to the directory put an entry in the .ini 
> file for it.  I have everything worked out except for the 
> ability to tell whether the user has access to the directory 
> (ironically, I thought that would be the easy part).
> 
> Currently I have permissions set so that user JQPublic cannot 
> see the file h:\point\lithonia\active\folder.ini .

Can you be a bit more specific about the DACLs you've set? When you say
"cannot see" do you mean they shouldn't have any access to the files? Or
merely that they should be hidden?

> In fact, JQPublic cannot see anything under the lithonia 
> folder at all. I have verified this with a dos based "if 
> exist" statement, and also dir commands, and cd commands.  
> JQPublic cannot see the "folder.ini" file, and cannot even 
> see the "h:\point\lithonia\active" directory.  He cannot 
> change into this directory, and if he does a dir on 
> h:\point\lithonia he gets a blank directory.
> 
> Yet my vbscript issuing the following commands, sees the file 
> everytime:
> 
>         sFolder=3Dh:\point\lithonia\active\folder.ini
>         If (fso.FileExists(sFolder)) Then
>           wscript.echo sFolder & " Exists and can be read"
> 
> If I can't use the fso.FileExists property, is there another 
> method to tell whether a user can access a file with 
> vbscript?

To be accurate / pedantic, you are not merely using vbscript, here, you are
accessing aspects of WSH, through vbscript.

Such things like this, have to be provided by a scripting host environment,
as opposed to a vbscript interpreter.

> Also, this would seem to be a security hole 
> (albeit minor).

Could you be more specific about exactly how you've gone about hiding /
restricting these files / folders, before we get into claims about security
holes?

> In that using a simple vbscript, an attacker 
> could guess whether certain files exist and map a directory 
> structure through trial and error for things he shouldn't be 
> able to see.

That does rather depend on how the "shoudn't be able to see" is implemented,
though. More clarification, please.

Neil

***********************************************************************
This e-mail and its attachments are intended for the above named 
recipient(s) only and are confidential and may be privileged.
If they have come to you in error you must take no action based 
on them, nor must you copy or disclose them or any part of 
their contents to any person or organisation; please notify the 
sender immediately and delete this e-mail and its attachments from 
your computer system.

Please note that Internet communications are not necessarily secure 
and may be changed, intercepted or corrupted. We advise that 
you understand and observe this lack of security when e-mailing us 
and we will not accept any liability for any such changes, 
interceptions or corruptions. 

Although we have taken steps to ensure that this e-mail and its 
attachments are free from any virus, we advise that in keeping 
with good computing practice the recipient should ensure they 
are actually virus free.

Copyright in this e-mail and attachments created by us belongs 
to Littlewoods. 

Littlewoods takes steps to prohibit the transmission of offensive, 
obscene or discriminatory material.  If this message contains 
inappropriate material please forward the e-mail intact to 
postmaster@xxxxxxxxxxxxxxxxx and it will be investigated. 
Statements and opinions contained in this e-mail may not 
necessarily represent those of Littlewoods.

Please note that e-mail communication may be monitored.

Registered office: 
Littlewoods Retail Limited, 
Sir John Moores Building, 
100 Old Hall Street, 
Liverpool,
L70 1AB 
Registered no: 421258 

http://www.littlewoods.com 
***********************************************************************
********************************************************
This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services 
and Citrix Metaframe.
http://www.thinprint.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: