Knowledgebase
Home » Item #1019
eUKhost disabled file system object (FSO)
Question
My host eUKhost has disabled the FSO (file system object). Consequently my CactuShop does not work. What can I do?
Answer
This component allows ASP to access the file system and read or write files. CactuShop uses the FSO for skinning, writing uploaded images to the store and some other tasks.
Without it, CactuShop will not be able to operate.
From the information we have seen from eUKhost, it appears that their claim the FSO is vulnerable and a security risk only applies to their shared servers, and they therefore recommend moving to a VPS (virtual private server), or moving to ASP.NET.
We are not aware of any general Microsoft advisory that the FSO is unsafe or should be disabled. The fact they suggest moving to a VPS as a solution tends to confirm this. It seems the risk is on their shared servers only, with the implication that a user on one web site can use the FSO to read/write files on any site on the server.
As far as we are aware, this should not be possible if each web is set up with a separate Windows IUSR account. Because any ASP script run on a site runs as that user, and if that user only has permissions for his/her web, then they can only use the FSO to read/modify files on that web.
We'd therefore speculate that in this case the host may have configured their shared servers to use a single IUSR account; in this case any web site could indeed use the FSO to 'explore' the server and read/write any files even on other users webs. Certainly that fits with the explanation given by eUKhost, and would explain why they believe a VPS is safe (because the only user on the server would be your site).
We have had three reports of this problem, all from eUKhost customers. We have not seen any general Microsoft advisory regarding problems with the FSO and we have not had reports from any other hosts that they are turning off FSO support. So we suspect the issue is not a general one, but specific to eUKhost.
Upgrading to the latest CactuShop version will not resolve the issue; the FSO is fundamental to any ASP application that reads or writes files - and certainly that would apply to all ASP e-commerce packages.
Until the host can provide suitable separation of ASP sites, then the options are:
1. Move to a VPS as they suggest
2. Move to ASP.NET as they suggest (we have a .NET e-commerce package: www.kartris.com).
3. Move the site to a host that can confirm that the FSO is not disabled (at present we believe this to be most hosts).
In summary, we currently believe this to be a security issue with eUKhost rather than the ASP/Microsoft platform at large, though we would welcome any further information (i.e. Microsoft advisories, details of other major hosts disabling the FSO, etc.) in order to revise this knowledgebase article.