Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: ASP Security Hole (fwd)
From: MJE (markNTSHOP.NET)
Date: Thu Feb 10 2000 - 16:21:12 CST
- Next message: MJE: "FW: remote DoS on Internet Anywhere Mail Server Ver.3.1.3"
- Previous message: Roy V. Ellis: "WebSpeed Security Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> ---------- Forwarded message ----------
> Active server pages (ASP) with runtime errors
> expose a security hole that publishes
> the full source code name to the caller.
> If these scripts are published on the
> internet before they are debugged by
> the programmer, the major search
> engines index them. These indexed
> ASP pages can be then located with a
> simple search. The search results publish
> the full path and file name for the ASP
> scripts. This URL can be viewed in a browser
> and may reveal full source code with
> details of business logic, database location
> and structure.
> - In the Altavisa search engine execute a search for
> +"Microsoft VBScript runtime error" +".inc, "
> - Look for search results that include the full
> path and filename for an include (.inc) file.
> - Append the include filename to the host name
> and call this up in a web browser.
> Example: www.rodney.com/stationery/browser.inc
> Exposes database connections and properties, resource locations,
> cookie logic, server IP addresses, business logic
Exposes database properties, business logic
Exposes cobranding business logic
Exposes datafile locations and structure
Exposes source code for StoreFront 2000 including
Exposes search engine log
Exposes cookie logic
- Search engines should not index pages that
have ASP runtime errors.
- Programmers should fully debug their ASP
scripts before publishing them on the web
- Security administrators need to secure
the ASP include files so that external users
can not view them.
JW's Software Gems
Phone (949) 855-0233
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net