Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[Full-Disclosure] FYI Only - Interesting Dot Net configuration item
From: DAN MORRILL (dan_20407msn.com)
Date: Tue Jun 08 2004 - 12:53:33 CDT
Good Morning List
been running some tests on an ASP dot Net web technology system, and ran
into some things that would be good FYI from a security perspective. Since
this is still new technology in some respects, there are some configuration
items that should be observed, or at least noted possibly as a policy item,
but security folks should be looking for these items when they are testing a
dot net system.
For interests sake - go to google and run the following if you want more
information on these files (or to observe folks that didn't do their
security right, and to observe first hand the data that is given over. Again
as with all security, risk is defined by the organization, this may or may
not be risky depending on your view point.)
allinurl: "aspx.cs" for C# source
allinurl: "aspx.vb" for VBS source
Trace dot axd is a tracing function that can be controlled in the web.config
file. Default is to not release this data, but the developer can modify the
web.config file to show all trace data to an outside client. This data
includes cookie session data, and other data that could be useful for
session highjacking, and determining the physical configuration of the web
server, including phyiscal and logical drive space. This runs in memory, and
is purged on a FIFO basis, or when IIS is restarted.
Web.config file holds configuration data for dot net for the web server.
Provides good configuration data about how the dot net environment is set up
for the web server. It can also hold connection string information for
connecting to database systems, other systems, and virtual directories if
not using integrated security.
all source files (.CS or .VB) can provide information about how the web
application is set up, what it imports, and in some cases holds connection
string data for accounts database backend systems. That data is included if
not using the obdc DSN system. (Although it could be there if any form of
credentials are embedded anywhere in the source code for a web system).
Just thought I would pass this along as I have not seen anything like this
posted on the network at all. My suggestion based on this data is that all
uploaded Dot Net code bases onto a production server be configured in such a
way that these data points are not exposed to the public. Default is that
these are protected systems files, but a developer can change these bounds,
and there should be a hand shake between security and development for
production or other internet exposed systems.
Hope this was interesting.
Sometimes MSN E-mail will indicate that the mesasge failed to be delivered.
Please resend when you get those, it does not mean that the mail box is bad,
merely that MSN mail is over worked at the time.
Otherwise, hope things are going well.
Full-Disclosure - We believe in it.