Hi,
i've web server for host web site.
The security follow what is suggest here
http://www.iis.net/learn/manage/configuring-security/ensure-security-isolation-for-web-sites
On the folder are setting permission like these:
system (full read,write, exe …except special)
Specific_website_user_WEB (only Read)
Specific_website_user_FTP (read & write)
administrators (read,write, exe …except special)
users (read & Exe)
An hacker was able to Hole a specific web site (Victim web site) Wordpress.... This web site use specific pool app on iis (like VictimUserPoolApp) and on the root web site folder the permission are like descibe up with VictimUser_WEB
My question is.
How is possible that the hacker was able to write files outside the Victim Web site...for example in other web site on the same web server?
I found files (like faker.html or other php files) in the other website root, where the owner of the files was VictimUser_WEB
There is a missing security configuration on my IIS?
I think that should not be possibile for user A, write file in another folder where A have not permission...
thanks for any suggestion
Roberto