|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alan Pope (al_at_popey.com)
Date: Tue Jul 09 2002 - 09:19:22 CDT
On Tue, 9 Jul 2002, Andrew van der Stock wrote:
> Kevin,
>
> It is important to reinforce the lesson of "As long as the include file
> is not of a type that can be returned in plaintext to the server" bit of
> your mail. I see it all the time during my code reviews, and it's never
> a good thing.
>
> On IIS using ASP pages (not JSP's), it's good security administration
> practice to make sure all include files have a registered filetype
> handled by the ASP dll's.
>
> For example:
>
> <%
>
> include 'blah.inc'
>
> will probably allow an attacker to retrieve the source for blah.inc.
>
> If you rename 'blah.inc' to 'blah.asp', the source is processed by the
> ASP dll before being handed off to the requestor. There is no downside
> to this preferred behavior.
>
> Andrew
>
No downside? What about additional processing overhead on the server?
Al.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]