Different folders on Windows Shared Hosting server (e.g. C:\Perl) are writable by scripts of customers' webspaces.
This is because root directories of all disk volumes have inheritable write access for group BUILTIN\Users by default. Some directories (e.g. Program Files, CustomerData) drop this permission, but some other (e.g. Perl) do not. All web scripts are executed under credentials of special users that are members of group BUILTIN\Users.
The issue has been fixed in scope of OA 5.5 update 4. To workaround the issue on earlier versions, please do the following steps:
- Open Windows Explorer (or My Computer).
- Right-click on local disk (C:) and select Properties.
- Select the Security tab and click the Advanced button.
- Remove two entries which allow write access for group Users (<LOCAL_COMPUTER>\Users):
- Remove permission Create Folders / Append Data applied to This folder and subfolders.
- Remove permission Create Files / Write Data applied to Subfolders only.
- Click the Apply button and close opened windows by clicking the Ok button.
- Repeat steps 1-5 for all other local disks.