Re: are my binaries being exposed on my ASP.NET website?
From: Thor (thor_at_hammerofgod.com)
Date: 11/25/03
- Previous message: ed.devlin_at_detica.com: "how do I force secure ASP.NET session cookies?"
- In reply to: ed.devlin_at_detica.com: "are my binaries being exposed on my ASP.NET website?"
- Next in thread: Dominick Baier: "RE: are my binaries being exposed on my ASP.NET website?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <ed.devlin@detica.com>, <focus-ms@securityfocus.com> Date: Tue, 25 Nov 2003 09:00:07 -0800
The key here is that you've got a facility for users to alter files once
logged in. Renaming the file keeps the server from applying ISAPI extension
mappings to the file, and thus allows for a standard HTTP download of the
file. It is the same thing as spidering a site for cgi, asp, etc files and
then checking for the same file names with a BAK extension where the
developer made a quick copy of the file before doing an edit. Great way to
get asp source files for connection string info, etc.
The users you have set up to log in via WebDav should not have permissions
to the other files on the server.
tht
t
----- Original Message -----
From: <ed.devlin@detica.com>
To: <focus-ms@securityfocus.com>
Sent: Tuesday, November 25, 2003 3:09 AM
Subject: are my binaries being exposed on my ASP.NET website?
>
>
> We've had some security consultants go over our website looking for
vulnerabilities, and they've found a binary file exposure problem, but I
can't reproduce it - has anyone seen something like this?
>
> My website runs on SSL and uses forms-based authentication. IIS lockdown
and URLScan 2.5 are installed. WebDAV is ENABLED (with restricted verbs)
for file transfer by special users (using integrated Windows authentication)
>
> Hacker goes to my login page and logs in using correct credentials. Once
logged in, the hacker removes the ".aspx" extension from a URL, and is given
a binary file in response to the request!
>
> I can't get this to work on any of my test browsers (I always get a 404),
but the consultant assures me he reproduced it using IE 6.0 and a personal
proxy.
>
> Could it be IIS handing out a fragment of pre-compiled ASPX code-behind?
Might it be to do with debug settings in web.config?
>
> If you have any ideas please let me know
>
> Thanks
>
> Ed
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
-
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: ed.devlin_at_detica.com: "how do I force secure ASP.NET session cookies?"
- In reply to: ed.devlin_at_detica.com: "are my binaries being exposed on my ASP.NET website?"
- Next in thread: Dominick Baier: "RE: are my binaries being exposed on my ASP.NET website?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
