RE: passwords in asp pages

From: MARTIN M. Bénoni (benoni_martin_at_hotmail.com)
Date: 03/10/04

  • Next message: Michael Gale: "Re: Security Appliances"
    To: ian@kingcon.com
    Date: Wed, 10 Mar 2004 09:39:30 +0000
    
    

    >From: "" <ian@kingcon.com>
    >To: SECURITY-BASICS@securityfocus.com
    >Subject: passwords in asp pages
    >Date: Tue, 9 Mar 2004 09:00:11 -0500
    >
    >I am new to security and I have no training in asp programming, so I am
    >wondering if I am right in being scared of the following instance...

    Well, There is always a point to start! :)

    >
    >A IIS based website which has asp pages which contain plaintext passwords
    >for credentials to an sql database on another machine. The passwords are
    >in between <% %> so I assume that means they are only processed on the
    >server and the user does not see them, and there do not seem to be any .inc
    >files calling these pages. The server is also up to date with patches as
    >far as I know.
    Watch out! A patched server do not mean a secure server!! And I quite agree
    that passwords shoud at least be hached with somthing like MD5 or SHA-1!

    >
    >This situation really bothers me, but I'm not experienced enough too know
    >how it could be exploited or whether it could be exploited at all. I just
    >don't like the fact that passwords to a db user are scattered all over the
    >website. I need something to make it easy to say to the people
    >responsible... "Here look this is what can be done to the website to gather
    >the passwords and destroy your data. I don't think it is wise you do this,
    >it is in your best interests to change this pattern." The programmer
    >seemed to just brush it off, when I said that they could be viewed if their
    >source was viewed, by telling me that they would be only processed by the
    >server itself, which still doesn't make me feel good at all.
    Well, I am not an ASP programmer neither, but I agree with the fact that
    clear-text passwords are not at all recommended!! As I said above, at least
    hached, and even in a separated file accessible only by the admin of the
    server. At least that!

    >
    >Shouldn't the password be encrypted? Seperated in their own file?
    >
    >Is it correct to assume that an attacker who elevated their priveledges on
    >the web box could view these files and gain access too the database that
    >way through some other method?
    That's correct, but depend as well of many things: how is partitioned the
    server? what are the security settings on the server? ...

    >
    >What else can be done by an attacker against asp pages that would allow
    >this data to be discovered?
    >
    >Also if I could actually just demonstrate it right before their eyes that
    >would be a big help.
    >
    >Thanks for any advice.
    >
    >Ian
    >:)
    >
    >
    >
    >Go to www.missingkids.com
    >
    >Though the words, opinions, and/or policies expressed herein are probably
    >right, and most likely right if you disagree with them, they are the
    >personal words, opinions, and/or policies of the person using this account.
    > They are not, and the author does not claim they are, the words,
    >opinions, and/or policies of the company and officers of Merrill
    >Information Systems Inc., any forum they are placed in, or any entity other
    >then the author himself that they may appear to represent. That being
    >said, the author probably thinks they should be the opinion of those
    >bodies, unless he is playing the devil's advocate.
    >
    >Send complaints or compliments to the author at:
    >
    >ianian@333ki ngc on.com
    >
    >Taking out all numbers and spaces and the first ian in the address, because
    >spammers use bots, some mailing lists block this information from prying
    >eyes, and people who pay attention can follow instructions.
    >
    >
    >
    >---------------------------------------------------------------------------
    >Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    >any course! All of our class sizes are guaranteed to be 10 students or less
    >to facilitate one-on-one interaction with one of our expert instructors.
    >Attend a course taught by an expert instructor with years of in-the-field
    >pen testing experience in our state of the art hacking lab. Master the
    >skills
    >of an Ethical Hacker to better assess the security of your organization.
    >Visit us at:
    >http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    >----------------------------------------------------------------------------
    >

    _________________________________________________________________
    MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
    http://join.msn.com/?page=features/virus

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Michael Gale: "Re: Security Appliances"

    Relevant Pages

    • Re: File Upload - Security Issues
      ... You want to upload a file for what reason and you do ... file and what pitfalls you see re: security might be helpful on this end?! ... files to an IIS server that doesn't have MS Office actually installed? ... 2* Upon submit this is submitted to an ASP page that then (using the XML ...
      (microsoft.public.scripting.vbscript)
    • [NT] Vulnerability in Internet Information Services Allows Code Execution (MS08-006)
      ... Get your security news from a reliable source. ... Vulnerability in Internet Information Services Allows Code Execution ... exists in the way that IIS handles input to ASP Web pages. ... Services on all supported editions of Windows XP and Windows Server 2003. ...
      (Securiteam)
    • RE: passwords in asp pages
      ... and using integrated security for connecting to the database- this will ... remove cleartext passwords from the files. ... grab the raw asp source from the server. ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Re: How is dangerous connect to server over internet with remote d
      ... What would be added value for security if you set up VPN first? ... If you have smart cards or one-time passwords you can use them directly ... against Terminal Server. ... On the server set the encryption to high ...
      (microsoft.public.security)
    • AW: ASP Dot Net Security Guidelines
      ... Betreff: Re: ASP Dot Net Security Guidelines ... Basically you'll treat an asp.net application server as you would an asp ... > to set the permissions as it brings up access denied errors on the ...
      (Focus-Microsoft)