Most Commonly Missed Best Practice with Internet Sites

Wanna know what it is?  It is a disaster waiting to happen!  

Some day an IIS 6.0 vulnerability will come out that allows you to get administrator access to the _vti_bin directory of your SharePoint site.  You will then be able to execute a call to the Lists web service and delete the "Pages" document library!  

To prove it, do a search on Pages/default.aspx in google.  You will get a listing on all the sites on the internet that are running sharepoint as their internet site.  Check their _vti_bin directory access by appending /_vti_bin/lists.asmx

 If you get the web service page for the list service, that company has setup there site WRONG!

The correct way of doing things is to create an extended web application that HAS the _vti_bin and the original with the _vti_bin DELETED!  The original is the internet accessable one and the extended one is accessible only by internal staff (so you can use SharePoint Designer and such).

Anyone feel like writing a vulnerability and the code to delete all the pages  document libraries on the internet to prove my point???  Couldn't be too hard 🙂


Leave a Reply