locked
Huge security blunder? Bit of a fun too.. :) RRS feed

  • Question

  • User-1913580078 posted

    Hey!

    I got a website where all users are stored in an AD.
    The users can change their password through the website.

    But everytime a user changes it's password a folder in "x:\Documents and Settings" with the AD-username on the webserver is created!

    Like this:
    C:\Documents and Settings\Administrator
    C:\Documents and Settings\All Users
    C:\Documents and Settings\Default User
    C:\Documents and Settings\Donald43 (a user in the AD that have set his pass through the web)
    C:\Documents and Settings\Fredric2 (another user)
    C:\Documents and Settings\Garfield62 (and so on..)
    C:\Documents and Settings\Harry23
    C:\Documents and Settings\Lokko23

    etc etc

    I got over 2600 of these folders now! :)
    (130 000 files, and 117 000 sub-folders 1.75GB!!!)

    This started happening after a an upgrade of the web. But no changes had been made to the "set password"-code. And the AD itself has not been touched.

    (Users that does not change their password does not have a folder.)

    I dont know where to look. 
    All ideas would be appreciated.

    Webserver: Windows 2003 Server
    AD: Windows 2000


     

    Sunday, August 13, 2006 6:19 AM

All replies

  • User1354132231 posted
    That doesn't happen via SetPassword or ChangePassword methods.  Your code is doing something else... (like logging them on locally).  How are you changing passwords?
    Monday, August 14, 2006 1:00 PM
  • User1297008538 posted

    That doesn't happen via SetPassword or ChangePassword methods.  Your code is doing something else... (like logging them on locally).  How are you changing passwords?

    Probably either impersonating them with some weird options or calling LogonUser to get a token with the wrong options and then passing that token to the impersonation context.

    Did you buy this app? If so it's a POS and get a new one. If not your code is busted, fix it.

    Monday, August 21, 2006 12:47 AM