I have a website running asp classic on a Win 2003 RE server. The server is centrally managed and I am not allowed to play with the IIS settings. I have a pure asp upload commercial component on my site and recently we were successfully attacked with an aspx file being placed on the server and executed. This was caught quickly but as ever the entry method has not been established yet. Of course fingers are being pointed at my module.
I have tried unsuccessfully to exploit the component may times in the past 4 or 5 years by avoiding the file type check and while no expert hacker I have come to trust it (fool). However during my visit to central I agreed to suspend file upload for a period and we sat down together to change the upload folder to read only. I then noticed in the IIS folder permissions that the execute (scripts?) box was ticked. I've been using web servers for a long time locally on my development notebooks but they were always using blanket admin rights setups to make anything possible. I said nothing at the time, but now I am asking you guys please to tell me if the aspx file could have run if the folder execute box was unticked?
Thanks for your help in advance.
"Nothing is impossible until proven otherwise"