OdeToCode IC Logo

What's Wrong With This Code? (#7)

Tuesday, October 10, 2006

This time, Joe Developer is building a web application for the company intranet. Most of the site is available to anonymous users, but one directory - the adminPages directory, should only be accessible to users in the machine's local administrators group. Joe added the following to the bottom of his web.config, and is feeling pretty secure.

<configuration>
  <location path="adminPages">
    <system.web>
      <authorization>
        <allow roles=
"BUILTIN\Administrators" />
        <deny users=
"?" />
      </authorization>
    </system.web>
  </location>  
</configuration>

Should Joe be worried?