Re: ASP Pages

From: Tim Greer (chatmaster_at_charter.net)
Date: 07/18/03

  • Next message: Meritt James: "Re: ASP Pages" 
    To: "skate" <root@fatcuban.com>, "Eralper YILMAZ" <eryilmaz@porttakal.com>, <ben@lanwest.com.au>, "'Security-Basics'" <security-basics@securityfocus.com>
Date: Fri, 18 Jul 2003 10:16:32 -0700

    It certainly doesn't hurt to put any files you can outside of the web root.
    Unfortunately anything that allows other users, or a poorly written script
    that does, to view files on the server without proper checking, well, you
    know. Anyway, I just thought I'd add that point, as well as the fact that
    it's not compiled means there's really nothing you can do, even if it might
    annoy or delay the person that is looking for the end result. But I'm sure
    you know all this, so I just added those points as well. 

    --
Regards,
Tim Greer  chatmaster@charter.net
Server administration, security, programming, consulting.
----- Original Message -----
From: "skate" <root@fatcuban.com>
To: "Tim Greer" <chatmaster@charter.net>; "Eralper YILMAZ"
<eryilmaz@porttakal.com>; <ben@lanwest.com.au>; "'Security-Basics'"
<security-basics@securityfocus.com>
Sent: Friday, July 18, 2003 10:07 AM
Subject: Re: ASP Pages
> which is why i also mentioned about putting it outside the webroot,
although
> this may not necessarily protect from other users. i generally run my
> scripts on my own server, so don't really come across this...
>
> ----- Original Message -----
> From: "Tim Greer" <chatmaster@charter.net>
> To: "skate" <root@fatcuban.com>; "Eralper YILMAZ"
<eryilmaz@porttakal.com>;
> <ben@lanwest.com.au>; "'Security-Basics'"
> <security-basics@securityfocus.com>
> Sent: Friday, July 18, 2003 6:00 PM
> Subject: Re: ASP Pages
>
>
> > Correct, that barring any technical/configuration reasons that would
show
> > the ASP code in it's text form would not be possible, there are several
> > methods which are, such as a user on the same system opening and
printing
> > another user's ASP file's contents, or another ASP, or PHP or CGI, etc.
> > script on the server that is intentionally allowing people to open and
> print
> > file contents (which is often not intentional, though it exists).  So,
> some
> > things can help, but anything interpreted will still allow someone to
> obtain
> > the source code anyway, if they can manage to get that far.  This is why
> > compiling is the best way to protect source code--and I don't know of a
> way
> > (personally) to do this in ASP.  Note:  Don't confuse compiling with
> > encrypting or obfuscating.
> > --
> > Regards,
> > Tim Greer  chatmaster@charter.net
> > Server administration, security, programming, consulting.
> >
> >
> > ----- Original Message -----
> > From: "skate" <root@fatcuban.com>
> > To: "Eralper YILMAZ" <eryilmaz@porttakal.com>; <ben@lanwest.com.au>;
> > "'Security-Basics'" <security-basics@securityfocus.com>
> > Sent: Friday, July 18, 2003 9:01 AM
> > Subject: Re: ASP Pages
> >
> >
> > > no-one can read your asp code without having ftp (or similar) access
to
> > the
> > > directory, the web server will run anything that it determines is asp,
> and
> > > only transmit the output. this is the core of server side scripting.
> > >
> > > as an extra, double security, you should put most of the core
functions
> > into
> > > includes, and have them stored outside the web root. occasionally, the
> web
> > > server may have problems and transmit things before running them. i've
> > seen
> > > this happen in php anyway when the server is in the process of being
> > > updated...
> > >
> > > ----- Original Message -----
> > > From: "Eralper YILMAZ" <eryilmaz@porttakal.com>
> > > To: <ben@lanwest.com.au>; "'Security-Basics'"
> > > <security-basics@securityfocus.com>
> > > Sent: Friday, July 18, 2003 10:08 AM
> > > Subject: Re: ASP Pages
> > >
> > >
> > > > Hi,
> > > >
> > > > Use "Script Encoder "
> > > >
> > > > You can find detailed info at
> > > >
> > >
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/ht
> > > > ml/SeconScriptEncoderOverview.asp
> > > >
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Benjamin Meade" <ben@lanwest.com.au>
> > > > To: "'Security-Basics'" <security-basics@securityfocus.com>
> > > > Sent: Monday, June 16, 2003 9:51 AM
> > > > Subject: ASP Pages
> > > >
> > > >
> > > > >
> > > > > Hi all,
> > > > >
> > > > > We are currently developing a project management system in ASP,
and
> I
> > am
> > > > > a little concerned about code stealing. Given that the asp pages
are
> > > > > visible to everyone, how difficult is it for someone to download
the
> > > > > actual asp code? (As opposed to the html that the page generates).
> > > > >
> > > > > Also, there is the option for installing the site on a clients
> server.
> > > > > Is there any way to encrypt this so that the server can read it,
but
> > the
> > > > > clients cannot?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Benjamin Meade
> > > > > System Administrator
> > > > > LanWest Pty Ltd
> > > > > Ph:  (08) 9440 3033
> > > > > Fax: (08) 9440 3370
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
>
> --------------------------------------------------------------------------
> > > > -
> > > > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
> > > analysts!
> > > > > The Gartner Group just put Neoteris in the top of its Magic
> Quadrant,
> > > > > while InStat has confirmed Neoteris as the leader in marketshare.
> > > > >
> > > > > Find out why, and see how you can get plug-n-play secure remote
> access
> > > in
> > > > > about an hour, with no client, server changes, or ongoing
> maintenance.
> > > > >
> > > > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> > > >
> > >
> >
>
> --------------------------------------------------------------------------
> > > > --
> > > > >
> > > >
> > > >
> > >
> >
>
> --------------------------------------------------------------------------
> > > -
> > > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
> > analysts!
> > > > The Gartner Group just put Neoteris in the top of its Magic
Quadrant,
> > > > while InStat has confirmed Neoteris as the leader in marketshare.
> > > >
> > > > Find out why, and see how you can get plug-n-play secure remote acce
ss
> > in
> > > > about an hour, with no client, server changes, or ongoing
maintenance.
> > > >
> > > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> > >
> >
>
> --------------------------------------------------------------------------
> > > --
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
>
> --------------------------------------------------------------------------
> > -
> > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
> analysts!
> > > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> > > while InStat has confirmed Neoteris as the leader in marketshare.
> > >
> > > Find out why, and see how you can get plug-n-play secure remote access
> in
> > > about an hour, with no client, server changes, or ongoing maintenance.
> > >
> > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> >
>
> --------------------------------------------------------------------------
> > --
> > >
> >
> >
> >
>
>
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
  • Next message: Meritt James: "Re: ASP Pages"

    Relevant Pages

    • Re: Password-only access to files in a certain folder
      ... You could script your own security: ... and place the protected files outside the web root so there's no direct ... > I do not have access to the server, ... > Info Blue Mountains - Mountains of Blue Mountains Info ...
      (microsoft.public.inetserver.iis.security)
    • IIS 6 shell
      ... The server is Running Windows Server 2003 and IIS 6 fully patched, ... in the application we have an upload form to upload pictures to the ... javascript support is also poor and the script did not run properly ... (except asp!) ...
      (Pen-Test)
    • RE: executing scripts within a web browser control under the syste
      ... server hosting the ASP pages as a trusted site for all users on the machine ... There are no ActiveX controls on the ASP page ... Write a test.js script file in local driver D:\. ... launches a console process under System Account. ...
      (microsoft.public.dotnet.general)
    • RE: ASP Pages
      ... There is another way to encode your ASP scripts.. ... Microsoft Gives a Script Encoder: ... Then register the dll into your server registry. ... >> The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: Example script to view media server info
      ... What exactly is happening is that the account under which ... the .ASP page runs does not have access to do ... is dependent on DCOM permission set on the server object ... >> Here is a sample script that will print the Peak ...
      (microsoft.public.windowsmedia.server)
    Loading