[THIN] Re: OT: Script Gurus?
- From: "Jim Kenzig http://thethin.net" <jimkenz@xxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Thu, 17 Apr 2003 08:36:21 -0400
Or he could just use http://thethin.net/iniwrite.zip
JK
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Braebaum, Neil
Sent: Thursday, April 17, 2003 6:09 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: OT: Script Gurus?
Comments inline...
> -----Original Message-----
> From: TheThin [mailto:TheThin@xxxxxxxxxxxxxxxxxxxxx]
> Sent: 16 April 2003 23:25
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] OT: Script Gurus?
>
> I am writing a script to edit an INI file on login.
> Basically, I want to scan a list of directories and if the
> user has access to the directory put an entry in the .ini
> file for it. I have everything worked out except for the
> ability to tell whether the user has access to the directory
> (ironically, I thought that would be the easy part).
>
> Currently I have permissions set so that user JQPublic cannot
> see the file h:\point\lithonia\active\folder.ini .
Can you be a bit more specific about the DACLs you've set? When you say
"cannot see" do you mean they shouldn't have any access to the files? Or
merely that they should be hidden?
> In fact, JQPublic cannot see anything under the lithonia
> folder at all. I have verified this with a dos based "if
> exist" statement, and also dir commands, and cd commands.
> JQPublic cannot see the "folder.ini" file, and cannot even
> see the "h:\point\lithonia\active" directory. He cannot
> change into this directory, and if he does a dir on
> h:\point\lithonia he gets a blank directory.
>
> Yet my vbscript issuing the following commands, sees the file
> everytime:
>
> sFolder=3Dh:\point\lithonia\active\folder.ini
> If (fso.FileExists(sFolder)) Then
> wscript.echo sFolder & " Exists and can be read"
>
> If I can't use the fso.FileExists property, is there another
> method to tell whether a user can access a file with
> vbscript?
To be accurate / pedantic, you are not merely using vbscript, here, you are
accessing aspects of WSH, through vbscript.
Such things like this, have to be provided by a scripting host environment,
as opposed to a vbscript interpreter.
> Also, this would seem to be a security hole
> (albeit minor).
Could you be more specific about exactly how you've gone about hiding /
restricting these files / folders, before we get into claims about security
holes?
> In that using a simple vbscript, an attacker
> could guess whether certain files exist and map a directory
> structure through trial and error for things he shouldn't be
> able to see.
That does rather depend on how the "shoudn't be able to see" is implemented,
though. More clarification, please.
Neil
********************************************************
This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services
and Citrix Metaframe.
http://www.thinprint.com/
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
