(no subject)
From: Tristan Brotherton (Tris@FLUIDJUICE.COM)Date: 02/06/02
- Previous message: Tony Chow: "Re: IIS Services Stop if Virtual Root Deleted on Disk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 6 Feb 2002 12:26:18 -0000 From: Tristan Brotherton <Tris@FLUIDJUICE.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Russ,
Thanks for your pointers, below is my reply: :)
All,
I started to play with MS siteserver, for content management on some of
our systems. I was a bit horrified, that with a default install it
installs an ASP file called "viewsource.asp" that, surprise surprise
allows you to view the source code for any ASP / server based files on
that site.
By default, this means a well educated "user" could gain source access,
and possible database passwords to any page on your website.
Needless to say after the default install I got rid of it. It normally
resides in: http://SERVER/SiteServer/Publishing/viewcode.asp
It will remain on this URL if you follow the default site server setup
Simply pass it a URL and it will show you full source. IE:
http://SERVER/SiteServer/Publishing/viewcode.asp?source=/PAGETODISPLAY.a
sp
Surely no big commercial company would leave this nasty little asp page
running?
Well, I had a quick check on several Microsoft run sites, and gained
full access to their sites source code / content management systems. I
have since informed the concerned parties, and the scripts have been
removed.
Solution - CHECK YOUR SITESERVER install for viewsource.asp If a default
install has taken place REMOVE the sample sites. Check this by viewing
http://SERVER/SiteServer/ to see if any pages are displayed.
<start dig at ms> I find it worrying that this file is installed with NO
PERMISSIONING allowing full access to private data on the system. I also
find it worrying the writers themselves didn't notice the adverse
affects when installing it on their own systems </end dig at ms>
Tristan Brotherton Fluidjuice Digital
Tris@fluidjuice.com
- peace, love and bandwidth-
Tristan Brotherton
Founder and Director - Fluidjuice Digital
Web: www.fluidjuice.com
Email: Tris@fluidjuice.com
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper
Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Tony Chow: "Re: IIS Services Stop if Virtual Root Deleted on Disk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
