|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: (no subject)
From: Paul Rogers (paul.rogers
MIS-CDS.COM)Date: Tue Aug 08 2000 - 10:28:03 CDT
- Next message: Nicolas Rachinsky: "Re: Win2K Local DoS?"
- Previous message: Ryan Permeh: "Re: Cookies"
- Next in thread: Arturo Busleiman: "Re: IIS/4.0 ASP include files"
- Next in thread: Ollie Whitehouse: "(no subject)"
- Maybe reply: Paul Rogers: "(no subject)"
- Reply: Arturo Busleiman: "Re: IIS/4.0 ASP include files"
- Reply: Bruce Dang: "(no subject)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi ppl,
Can't seem to find any info about this on Microsoft's site or BugtraQ so I
thought I'd post here.
In certain IIS/4.0 configurations with ASP (assumption because the file
seems to be an ASP include) and SQL Server running (unknown version),
http://server/include/dbconfig.inc reveals the DSN, username and password to
the database being utilised by the website. Does anyone know about this and
under what configuration conditions does this occur? Or is just poor
configuration on the IIS server revealing the include directory for ASP
scripts run on the site? I think it maybe the latter but I'm no NT/IIS
security guru.
Sample output:
<%
Set Conn = Server.CreateObject("ADODB.Connection")
Conn.Open "DSN=testdb;UID=user1;PWD=xxxx"
' Conn.Open "testsite"
Set SQLConn = Server.CreateObject("ADODB.Connection")
SQLConn.Open "DSN=testdb;UID=user1;PWD=xxxx"
%>
Cheers,
Paul Rogers,
Network Security Analyst.
MIS Corporate Defence Solutions Limited
Tel: +44 (0)1622 723422 (Direct Line)
+44 (0)1622 723400 (Switchboard)
Fax: +44 (0)1622 728580
Website: http://www.mis-cds.com/
**********************************************************************
The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other dissemination or use of this communications is strictly prohibited.
The views expressed in this e-mail are those of the individual and not necessarily of MIS Corporate Defense Solutions Ltd. Any prices quoted are only valid if followed up by a formal written quote.
If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723400.
**********************************************************************
- Next message: Nicolas Rachinsky: "Re: Win2K Local DoS?"
- Previous message: Ryan Permeh: "Re: Cookies"
- Next in thread: Arturo Busleiman: "Re: IIS/4.0 ASP include files"
- Next in thread: Ollie Whitehouse: "(no subject)"
- Maybe reply: Paul Rogers: "(no subject)"
- Reply: Arturo Busleiman: "Re: IIS/4.0 ASP include files"
- Reply: Bruce Dang: "(no subject)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]