RE: passwords in asp pages

From: Tiago Halm (thalm_at_netcabo.pt)
Date: 03/10/04

  • Next message: Anders Lundman: "SV: Authencity of AV downloads" 
    To: <ian@kingcon.com>, <SECURITY-BASICS@securityfocus.com>
Date: Wed, 10 Mar 2004 10:05:21 -0000

    Hi Ian,

    1. The connection to SQL should be done by NT Authentication rather than SQL
    Authentication. That way there will be no password involved, only its hash.
    When using SQL Authentication the password itself may be viewed by a
    sniffer.

    2. The DB connection (in terms of efficiency) should use connection pooling
    in order to optimize the available connections. Read throught MSDN about
    this.

    3. The Server (where IIS resides) should be secured enough from prying eyes.
    As an example, your ASP pages only need READ access depending of your IIS
    authentication. When using:
            a) Integrated Authentication - give ASPs the READ access to
    "Authenticated Users"
            b) Anonymous - give ASPs the READ access to IUSR_MACHINENAME (or any
    other account you may have configured to anonymous access to IIS)
            c) Basic Authentication - don't use it :p
    Other security features need to be taken into account. Microsoft's site has
    a lot of details of how to "harden" your IIS Server.

    Hope it helps,
    Tiago Halm

    > -----Original Message-----
    > From: ian@kingcon.com [mailto:ian@kingcon.com]
    > Sent: terça-feira, 9 de Março de 2004 14:00
    > To: SECURITY-BASICS@securityfocus.com
    > Subject: passwords in asp pages
    >
    >
    > I am new to security and I have no training in asp
    > programming, so I am wondering if I am right in being scared
    > of the following instance...
    >
    > A IIS based website which has asp pages which contain
    > plaintext passwords for credentials to an sql database on
    > another machine. The passwords are in between <% %> so I
    > assume that means they are only processed on the server and
    > the user does not see them, and there do not seem to be any
    > .inc files calling these pages. The server is also up to
    > date with patches as far as I know.
    >
    > This situation really bothers me, but I'm not experienced
    > enough too know how it could be exploited or whether it could
    > be exploited at all. I just don't like the fact that
    > passwords to a db user are scattered all over the website. I
    > need something to make it easy to say to the people
    > responsible... "Here look this is what can be done to the
    > website to gather the passwords and destroy your data. I
    > don't think it is wise you do this, it is in your best
    > interests to change this pattern." The programmer seemed to
    > just brush it off, when I said that they could be viewed if
    > their source was viewed, by telling me that they would be
    > only processed by the server itself, which still doesn't make
    > me feel good at all.
    >
    > Shouldn't the password be encrypted? Seperated in their own file?
    >
    > Is it correct to assume that an attacker who elevated their
    > priveledges on the web box could view these files and gain
    > access too the database that way through some other method?
    >
    > What else can be done by an attacker against asp pages that
    > would allow this data to be discovered?
    >
    > Also if I could actually just demonstrate it right before
    > their eyes that would be a big help.
    >
    > Thanks for any advice.
    >
    > Ian
    > :)
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Anders Lundman: "SV: Authencity of AV downloads"

    Relevant Pages

    • Re: Utter madness!
      ... If it's going to be "tricky" to get a trusted connection to my SQL box ... certain authentication scenarios are harder in that set ... To do the service account approach, ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Can not connect to database server through FrontPage 2003
      ... Just a quick thought as there isn't much information on the config of SQL. ... > authentication, but we try to use integrated authentication whenever ... we attempt to add a database connection ... Contact the server administrator for more ...
      (microsoft.public.frontpage.client)
    • Re: Can not connect to database server through FrontPage 2003
      ... > Just a quick thought as there isn't much information on the config of SQL. ... >> authentication, but we try to use integrated authentication whenever ... we attempt to add a database connection ... If we use SQL Server authentication to connect to the DB server it ...
      (microsoft.public.frontpage.client)
    • Re: ODBC failure
      ... Connection Failed ... I set up the ODBC to use "SQL server authentication using a login ID ... obtain default settings for the additional configuration options". ...
      (comp.databases.ms-access)
    • Re: Persisting user login credentials across pages
      ... So you need to use Forms Authentication to authenticate a given UID and PWD ... connection string for your DB has nothing to do with this. ... Sample code requires you to have a login method on your Principal class ... > passwords on the site you recommended had passwords stored in the config ...
      (microsoft.public.dotnet.framework.aspnet)