ASP Security Issues

Results 1 to 7 of 7

Thread: ASP Security Issues

  1. #1
    shawn. Guest

    Default ASP Security Issues

    Hi,<BR><BR>While looking around planet source code, I came across an ASP script that when installed on our web server, gave us the ability to browse around through the web server. Here is the link to the script and it makes use of FileSystemObjects:<BR><BR><BR><BR><BR>Is there a patch for this? Anyone familiar with how to set permissions so that if someone were to get this script onto our server that it would not cause a security breach? Thanks!<BR><BR>PS Are there any good sites that deal with ASP security issues (ie malicious attacks)?

  2. #2
    Join Date
    Dec 1969

    Default RE: ASP Security Issues

    Read this article. I tried it on my own site and it completely fell apart on me, I couldn&#039;t believe it. It would let a hacker locate your database, and potentially download it. I managed to download my own database from my server (even though my ISP told me it was in a secure directory), and because I could see the login name and password in the connection string, I could open it too.<BR><BR>

  3. #3
    shawn. Guest

    Default RE: ASP Security Issues

    Yeah we fixed that issue, but the script I posted will allow you to view things like a Global.asa. Which, depending on how you set your connection strings, can give a hacker the name of your database server and a username/password. Which is like giving them a free pass.

  4. #4

    Default RE: ASP Security Issues

    Microsoft have a WEALTH of info. Try to persue your queries further...

  5. #5
    shawn. Guest

    Default RE: ASP Security Issues

    While they have a wealth of knowledge, there is no information on the potential security hole that FileSystemObjects presents.

  6. #6
    James W Guest

    Default Think about it !

    It&#039;s not a security hole or vulnerability at all.<BR>The script needs to be run on the server you want to search for. If you or your server admin is allowing anonymous/unauthenticated users to place scripts on your sever in directories with execute rights, you&#039;re asking to be hacked. If security is that loose, why would anybody bother with FSO when the could upload an .exe or WSH to delete your registry? <BR>You need to limit who has access to your server or it&#039;s just a matter of time.

  7. #7
    James W Guest

    Default Keep reading

    That article also describes the fix available from Microsoft. If your ISP is not willing to apply the fix, you should find another. If they won&#039;t fix this one, you can be sure there are a lot of other serious problems waiting to be exploited.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts