limited (non-admin) user creates c:\inetpub\wwwroot and makes an index.htm file there Admin user installs IIS loading localhost in web browser shows web page that non-admin user made.

Notices where this attachment appears

1. Embed this notice
   Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 17-Apr-2025 22:53:55 JST Will Dormann

   in reply to

   From over at the Bad Site ™
   Both the vulnerability and the "fix" for CVE-2025-21204 are quite silly.

   The scenario is:

   1. Non-admin user creates C:\inetpub\wwwroot directory and puts web content there
   2. Admin user at some point in the future enables IIS on the system.

   The outcome is:
   The web content provided by the non-admin user (be it a web shell or whatnot) is served up by IIS.

   Maybe non-admin users shouldn't be able to make directories or junctions (to directories or files) in C:\?
   NAH.

   Maybe installing IIS should provide a clean webroot when it's installed?
   NAH.

   Just preemptively make a C:\inetpub directory that non-admin users can't write to. That fixes the problem. 🤦♂️