DATE: COMMAND SOURCE: AUTHOR: IIS SYSTEMS AFFECTED Win NT Microsoft Internet Information Server 3.0 PROBLEM Daragh Malone provided this information. It appears that any Active Server Page can create, read, write or overwrite any file on the system, regardless of security permissions. Here's how to recreate the situation. Share out the wwwroot directory to a user, or use InterDev and allow the user to login to the web. This I would imagine is all that you want the user to see. If this user creates an .asp page, and uses the Scripting.FileSystemObject, he has full control over any file on the machine. For example: <% Set fsMad=CreateObject("Scripting.FileSystemObject") Set fileMad=fsMad.CreateTextFile("c:\winnt\mad.txt") fileMad.write("Here's a bit of a strange one") fileMad.close %> Neither the users account or the IUSR_machinename account have been granted the write to do this. It seems that the file is been manipulated by the SYSTEM account. This is probably by design, but D. Marone gave it here as a warning that sharing out wwwroot is in effect sharing out the entire filesystem. EXPLOIT SOLUTION I'm sure that MS will make up sometning.