|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Nik Cubrilovic (nik_at_nik.com.au)
Date: Tue Jul 09 2002 - 12:48:34 CDT
On Tue, 9 Jul 2002, Alan Pope wrote:
> On Tue, 9 Jul 2002, Andrew van der Stock wrote:
>
> > Kevin,
> >
> > It is important to reinforce the lesson of "As long as the include file
> > is not of a type that can be returned in plaintext to the server" bit of
> > your mail. I see it all the time during my code reviews, and it's never
> > a good thing.
> >
> > On IIS using ASP pages (not JSP's), it's good security administration
> > practice to make sure all include files have a registered filetype
> > handled by the ASP dll's.
> >
> > For example:
> >
> > <%
> >
> > include 'blah.inc'
> >
> > will probably allow an attacker to retrieve the source for blah.inc.
> >
> > If you rename 'blah.inc' to 'blah.asp', the source is processed by the
> > ASP dll before being handed off to the requestor. There is no downside
> > to this preferred behavior.
> >
> > Andrew
> >
> No downside? What about additional processing overhead on the server?
>
> Al.
>
No downside, since this is only if the file is directly requested, and in
that case I am sure you dont mind it being parsed as ASP. Besides, it is
server side code in that file anyway.
-Nik
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]