http://blogs.architectingconnectedsystems.com/blogs/cjg/archive/tags/_5F00_vti_5F00_bin/default.aspxTags: _vti_binenCommunityServer 2.1 (Build: 60809.935)http://blogs.architectingconnectedsystems.com/blogs/cjg/archive/2009/02/11/Most-Commonly-Missed-Best-Practice-with-Internet-Sites.aspxWed, 11 Feb 2009 22:22:00 GMT4aac0a7f-2495-46e5-9eb3-fa68b32063a9:37cjg0http://blogs.architectingconnectedsystems.com/blogs/cjg/comments/37.aspxhttp://blogs.architectingconnectedsystems.com/blogs/cjg/commentrss.aspx?PostID=37<p>Wanna know what it is?&nbsp; It is a disaster waiting to happen!&nbsp;&nbsp; <br /></p><p>Some day an IIS 6.0 vulnerability will come out that allows you to get administrator access to the _vti_bin directory of your SharePoint site.&nbsp; You will then be able to execute a call to the Lists web service and delete the &quot;Pages&quot; document library! &nbsp;</p><p>To prove it, do a search on Pages/default.aspx in google.&nbsp; You will get a listing on all the sites on the internet that are running sharepoint as their internet site.&nbsp; Check their _vti_bin directory access by appending /_vti_bin/lists.asmx</p><p>&nbsp;If you get the web service page for the list service, that company has setup there site WRONG!</p><p>The correct way of doing things is to create an extended web application that HAS the _vti_bin and the original with the _vti_bin DELETED!&nbsp; The original is the internet accessable one and the extended one is accessible only by internal staff (so you can use SharePoint Designer and such).</p><p>Anyone feel like writing a vulnerability and the code to delete all the pages&nbsp; document libraries on the internet to prove my point???&nbsp; Couldn&#39;t be too hard :)</p><p>CJG <br /></p><img src="http://blogs.architectingconnectedsystems.com/aggbug.aspx?PostID=37" width="1" height="1">Security_vti_bin