OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Robert Housedorf (rhousedorfhotmail.com)
Date: Wed Aug 15 2001 - 08:37:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Blaine,

    As a MS/ASP developer, I'm familiar with this concern. The MS
    recommended approach to solving this is to store all your .asp's in a
    subdirectory with WEB permissions set to EXECUTE PERMISSIONS ("Scripts"
    or "Scripts and Executables" if you have some exe's also)
    And then uncheck the Read permission box. This is for W2K. You can
    examine the scripts subdir within the IIS MMC to see what they do.

    There may also be some setting of NTFS permissions as well.

    For the COM stuff, as far as custom components go, a remote attacker
    would need to know the GUID or name of the component. Also, and I'm
    getting in a little deep here so investigate before taking my word for
    it, assuming they found out HOW to use the COM object, I believe you can
    set the COM object properties for remote access with dcomcnfg.exe

    There are some good tech articles on msdn.microsoft.com, and you might
    also be able to find some great info by doing a search on dcomcnfg on
    the msdn site also. You'll have to translate down for non-technicals
    though.

    Thanks,

    Bob Housedorf
    PS, I'm sitting at home looking for a new assignment, so feel free to
    ask me questions. I'm getting stale already <GRIN> and could use the
    thought exercises!

    ----- Original Message -----
    From: "Blaine" <lyvewyre13yahoo.com>
    To: <www-mobile-codesecurityfocus.com>
    Sent: Tuesday, August 14, 2001 2:00 PM
    Subject: Active Server Pages Security risk?

    > Task:
    > I am compiling a list of security issues surrounding
    > Active Server Pages and their use in an environment
    > where data security is priority.
    > I want to keep it as simple as possible so that
    > non-technicals can understand the issues.
    >
    > Needs:
    > I am having difficulty finding a critical review of
    > this sort to validate my own findings.
    > I am looking for vulnerabilities in the Architecture
    > and possible uses of obtained source.
    >
    > This is what I have started with:
    >
    > ASP Security issues
    >
    > No Code Encryption- if the source is displayed
    > information on how the application retrieves sensitive
    > data may be revealed and exploited.
    >
    > When used in conjunction with COM objects if the COM
    > objects are not forced to use authentication a 3rd
    > party could write their own ASP code to interact with
    > those COM objects from their own server.
    >
    >
    > ASP relies upon the security features of Windows NT to
    > prevent unauthorized access.
    > http://securityportal.com/topnews/asp20000905.html
    >
    > B.A
    >
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Make international calls for as low as $.04/minute with Yahoo!
    Messenger
    > http://phonecard.yahoo.com/
    >