We now use .asp / .jsp for includes -- to address sites with .inc in use
already -- in IIS -> we added a mapping for the extension .inc to use the
executable: asp.dll. Now you can't read them as text files.

-=bina

-----Original Message-----
From: Andrew van der Stock [mailto:avanderstockb-sec.com.au]
Sent: Tuesday, July 09, 2002 3:28 AM
To: Kevin Spett; Narsimha Mogiloji; webappsecsecurityfocus.com
Subject: RE: JSP (app security)

Kevin,

It is important to reinforce the lesson of "As long as the include file
is not of a type that can be returned in plaintext to the server" bit of
your mail. I see it all the time during my code reviews, and it's never
a good thing.

On IIS using ASP pages (not JSP's), it's good security administration
practice to make sure all include files have a registered filetype
handled by the ASP dll's.

For example:

        <%

        include 'blah.inc'

will probably allow an attacker to retrieve the source for blah.inc.

If you rename 'blah.inc' to 'blah.asp', the source is processed by the
ASP dll before being handed off to the requestor. There is no downside
to this preferred behavior.

Andrew

-----Original Message-----
From: Kevin Spett [mailto:kspettspidynamics.com]
Sent: Saturday, 29 June 2002 5:10 AM
To: Narsimha Mogiloji; webappsecsecurityfocus.com
Subject: Re: JSP (app security)

    This is not a security issue with this coding practice on any web
[application] server that I know of. As long as the include file is not
of
a type that can be returned in plaintext to the server, this doesn't
really
give an attacker much to work with in absence of a way to view the
source
code of JSP files of your choosing.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]