IIS user permission - to allow php fopen/fwrite?

SameerMirza
SameerMirza used Ask the Experts™
on
Hi all,

Guys I need to deal with security issue here. The requirement of the web is to allow user to create a file on server, location in web directory. Now its pretty simple to do it if I allow them to read/write permissions.
But looking at it from security point of view, Is it safe? I dont think so because its obviously open to attck then, cant they run some doudgy scripts if they want to as hacker (I dont know how to :)) but just thinking.
What would be the way to deal with it if it is not secure enough, fopen isnt in good books according to our security standards, but as I giving it restricted path then mayb I can get away with it but fwrite??
Problem is that its key requirement and they cant run fopen or fwrite unless I give them write permissions.

Can some one please guied me on this issue.

thx.
 
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Here is the answer,
IIS permission read only
In this particular case i have created an ad group for the users who can  write files. So just set that group or user to have write permission on that particular directory and make sure you dont have much in that directory to be on the safe side.
Praveen DMInfra Team Lead
Top Expert 2008

Commented:
Fopen and Fwrite has allways been a blocked method ini FW in web servers as it could be a playground for hackers specially Defacers.... U make u r self prety sure when u enable these methods in u r public access web server....
Praveen DMInfra Team Lead
Top Expert 2008

Commented:
If u want..u can try givin access to some temp folder and give user access to some specific user he sugests and not the common Ananymous user his site possesses...
Ok. In my case I had to do it. So one the way I came up with is that keep the file in specific folder and provide user wit hthe write accesss to that folder. Set IIS permissions to rea only and should work.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial