>>>>> "Andrew" == Andrew van der Stock <avanderstockb-sec.com.au> writes:

    Andrew> If you rename 'blah.inc' to 'blah.asp', the source is
    Andrew> processed by the ASP dll before being handed off to the
    Andrew> requestor. There is no downside to this preferred behavior.

I dare say there is a security risk associated with this kind of
behavior. In that scenario all include files must be prepared to be used
outside their normal context. Just imagine something like this:

normal.asp includes show_sensitive_info.asp

normal.asp handles access control. show_sensitive_info.asp trusts it's
environment to contain valid userId parameter. Attacker calls
show_sensitive_info.asp and sets userId to whatever he likes.

While this example is imaginary it demonstrates the basic problem with
unexpected entry points. (Isn't it the reason we have a fixed number of
system calls, instead of jumping directly to the right address in the
kernel?)

So, to repeat what I already said in this thread: if you care about
predictability of your app (and its security as a consequence), you
shouldn't allow unexpected entry points.

Doesn't asp approach have something like WEB-INF?

Bye
Greg

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]