ASP Security

Results 1 to 2 of 2

Thread: ASP Security

  1. #1
    Jerry Walsh Guest

    Default ASP Security

    Description:<BR>============<BR>Active server pages (ASP) with runtime errors<BR>expose a security hole that publishes <BR>the full source code name to the caller.<BR>If these scripts are published on the<BR>internet before they are debugged by <BR>the programmer, the major search<BR>engines index them. These indexed <BR>ASP pages can be then located with a <BR>simple search. The search results publish <BR>the full path and file name for the ASP<BR>scripts. This URL can be viewed in a browser<BR>and may reveal full source code with <BR>details of business logic, database location <BR>and structure. <BR><BR>Procedure:<BR>==========<BR>- In the Altavisa search engine execute a search for<BR>+"Microsoft VBScript runtime error" +".inc, "<BR><BR>- Look for search results that include the full<BR>path and filename for an include (.inc) file.<BR><BR>- Append the include filename to the host name<BR>and call this up in a web browser. <BR>Example:<BR><BR>Examples:<BR>=========<BR><BR>Exposes database connections and properties, resource locations,<BR>cookie logic, server IP addresses, business logic<BR><BR><BR>Exposes database properties, business logic<BR><BR><BR>Exposes cobranding business logic<BR><BR><BR>Exposes datafile locations and structure<BR><BR><BR>Exposes source code for StoreFront 2000 including <BR>database structure<BR><BR><BR>Exposes search engine log<BR><BR><BR>Exposes members email addresses and <BR>private comments file<BR><BR><BR>Exposes cookie logic<BR><BR>Resolution:<BR>===========<BR><BR>- Search engines should not index pages that<BR>have ASP runtime errors.<BR><BR>- Programmers should fully debug their ASP<BR>scripts before publishing them on the web<BR><BR>- Security administrators need to secure <BR>the ASP include files so that external users<BR>can not view them.<BR><BR><BR><BR>

  2. #2
    David Mann Guest

    Default This is an EXCELLENT point....

    Which is why I choose to lock down those files in a directory that has not rights to a user visiting from the web. =) <BR><BR>We also use a full test server that is not avaible to the Internet, only our Intranet for testing purposes. Code goes there first, THEN it&#039s published "live" if it functions correctly. =) <BR><BR>Thanks for sharing this info; you&#039ve spared many people some rather embarrassing or potentially destructive situations by informing them of the dangers of security and bad code.<BR><BR>--David<BR><BR>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts