Re: passwords in asp pages

From: Michael Gale (michael_at_bluesuperman.com)
Date: 03/10/04

  • Next message: Christopher Herrmann: "RE: GOTOMYPC Corporate?"
    Date: Tue, 9 Mar 2004 20:18:34 -0700
    To: security-basics@securityfocus.com
    
    

    Hello,

            I believe a hacker would have to compromise the box in order to see the
    passwords, unless it is printed to the client via a web page or http
    eviro variable.

    Is the site available via http or https ? If it is http then a sniffer
    will show the passwords, it should be HTTPS.

    Michael.

    On Tue, 9 Mar 2004 09:00:11 -0500
    "" <ian@kingcon.com> wrote:

    > I am new to security and I have no training in asp programming, so I
    > am wondering if I am right in being scared of the following
    > instance...
    >
    > A IIS based website which has asp pages which contain plaintext
    > passwords for credentials to an sql database on another machine. The
    > passwords are in between <% %> so I assume that means they are only
    > processed on the server and the user does not see them, and there do
    > not seem to be any .inc files calling these pages. The server is also
    > up to date with patches as far as I know.
    >
    > This situation really bothers me, but I'm not experienced enough too
    > know how it could be exploited or whether it could be exploited at
    > all. I just don't like the fact that passwords to a db user are
    > scattered all over the website. I need something to make it easy to
    > say to the people responsible... "Here look this is what can be done
    > to the website to gather the passwords and destroy your data. I don't
    > think it is wise you do this, it is in your best interests to change
    > this pattern." The programmer seemed to just brush it off, when I
    > said that they could be viewed if their source was viewed, by telling
    > me that they would be only processed by the server itself, which still
    > doesn't make me feel good at all.
    >
    > Shouldn't the password be encrypted? Seperated in their own file?
    >
    > Is it correct to assume that an attacker who elevated their
    > priveledges on the web box could view these files and gain access too
    > the database that way through some other method?
    >
    > What else can be done by an attacker against asp pages that would
    > allow this data to be discovered?
    >
    > Also if I could actually just demonstrate it right before their eyes
    > that would be a big help.
    >
    > Thanks for any advice.
    >
    > Ian
    > :)
    >
    >
    >
    > Go to www.missingkids.com
    >
    > Though the words, opinions, and/or policies expressed herein are
    > probably right, and most likely right if you disagree with them, they
    > are the personal words, opinions, and/or policies of the person using
    > this account. They are not, and the author does not claim they are,
    > the words, opinions, and/or policies of the company and officers of
    > Merrill Information Systems Inc., any forum they are placed in, or any
    > entity other then the author himself that they may appear to
    > represent. That being said, the author probably thinks they should be
    > the opinion of those bodies, unless he is playing the devil's
    > advocate.
    >
    > Send complaints or compliments to the author at:
    >
    > ianian@333ki ngc on.com
    >
    > Taking out all numbers and spaces and the first ian in the address,
    > because spammers use bots, some mailing lists block this information
    > from prying eyes, and people who pay attention can follow
    > instructions.
    >
    >
    >
    > ---------------------------------------------------------------------
    > ------ Ethical Hacking at the InfoSec Institute. Mention this ad and
    > get $545 off any course! All of our class sizes are guaranteed to be
    > 10 students or less to facilitate one-on-one interaction with one of
    > our expert instructors. Attend a course taught by an expert instructor
    > with years of in-the-field pen testing experience in our state of the
    > art hacking lab. Master the skills of an Ethical Hacker to better
    > assess the security of your organization. Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > ---------------------------------------------------------------------
    > -------
    >

    -- 
    Hand over the Slackware CD's and back AWAY from the computer, your geek
    rights have been revoked !!!
    Michael Gale
    Slackware user :)
    Bluesuperman.com 
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: Christopher Herrmann: "RE: GOTOMYPC Corporate?"

    Relevant Pages

    • RE: passwords in asp pages
      ... An old vulnerability in IIS was that a specially crafted URL would return the script of an ASP page instead of executing it. ... Subject: passwords in asp pages ... All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Minimum password requirements
      ... Passwords must be changed at least every 90 days. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... This e-mail transmission, ...
      (Security-Basics)
    • Re: passwords in asp pages
      ... server and resulting HTML is sent down to the client ... The passwords are ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • Re: User Passwords and security risks
      ... Security Awareness training about passwords. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • Re: Password Change Prompt breaks ASP.NET pages
      ... Normally for security related events you'd be seeing Access ... Denied type errors if passwords weren't synched. ... The error message is indeed an HTTP 404 File Not Found. ... :>: pushed to the web server. ...
      (microsoft.public.dotnet.framework.aspnet.security)