Issue Shell file can access C:\

[testttt]

Hi,
I have Plesk Obsidian 18.0.34 on Windows Server 2019.
I found a shell file (.aspx shell) on a web site.
I moved it to another web site and looked it to see its functions and access limits. But I am shocked when I see results. I can access root folder (C:\) of disk and can access many places. Some directories couldn't be accessed (C:\Inetpub)
But I can access many directories.

How this file can access to folders beyond the web site httpdocs folders? Is it normal ? If not, how can I fix this security vulnerability?

 

[weltonw]

So, you're now discovering an issue with all script languages that can access a file system. This happens with python, cgi, PHP, basically any language, PHP has open_basedir built-in to prevent this. I'm not familiar with ASPX, but they might have something too. Otherwise, you'll need some form of synthetic rooting if you want to restrict the script to a certain number of directories.

In theory, there is nothing truly "insecure" about a user that's able to enumerate all the files. Files that shouldn't be read will have the proper permissions that prevent such. In practice, this is a horrible idea, especially if someone can enumerate your users, or exploit potential application vulnerabilities, or if the permissions on a file is mis-set.

 

[testttt]

So, any web site owner in my server can access C:\ directory and can upload and download files? For a standart Windows user that I created, it may be "not unsecure", but for a hosting user it is extremely security problem for me and for all web server owners. I think there must be a feature to restrict web site user to access folders above root directory of web site(httpdocs or domain.com)