RE: passwords in asp pages
From: Michael Dunn (MDunn_at_sscincorporated.com)
Date: 03/10/04
- Previous message: marcelo: "Wireless Card config for Searching APs"
- Maybe in reply to: ian_at_kingcon.com: "passwords in asp pages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Mar 2004 13:21:10 -0500 To: <security-basics@securityfocus.com>
I'd like to add my experience here too:
An old vulnerability in IIS was that a specially crafted URL would return the script of an ASP page instead of executing it. Granted, it's an old flaw that's been fixed.
That being said - I never place database credentials in the script behind an ASP pages - instead, I configure the ODBC data source with the login credentials. My thinking is that, if the machine is compromised, it really doesn't how I do it, the credentials are compromised - but doing it outside of the ASP script at least prevents an IIS server bug from displaying the password.
(And don't put your database server on a publicly accessible node!)
Regards,
-Mike
-----Original Message-----
From: Michael Gale [mailto:michael@bluesuperman.com]
Sent: Tuesday, March 09, 2004 10:19 PM
To: security-basics@securityfocus.com
Subject: Re: passwords in asp pages
Hello,
I believe a hacker would have to compromise the box in order to see the
passwords, unless it is printed to the client via a web page or http
eviro variable.
Is the site available via http or https ? If it is http then a sniffer
will show the passwords, it should be HTTPS.
Michael.
On Tue, 9 Mar 2004 09:00:11 -0500
"" <ian@kingcon.com> wrote:
> I am new to security and I have no training in asp programming, so I
> am wondering if I am right in being scared of the following
> instance...
>
> A IIS based website which has asp pages which contain plaintext
> passwords for credentials to an sql database on another machine. The
> passwords are in between <% %> so I assume that means they are only
> processed on the server and the user does not see them, and there do
> not seem to be any .inc files calling these pages. The server is also
> up to date with patches as far as I know.
>
> This situation really bothers me, but I'm not experienced enough too
> know how it could be exploited or whether it could be exploited at
> all. I just don't like the fact that passwords to a db user are
> scattered all over the website. I need something to make it easy to
> say to the people responsible... "Here look this is what can be done
> to the website to gather the passwords and destroy your data. I don't
> think it is wise you do this, it is in your best interests to change
> this pattern." The programmer seemed to just brush it off, when I
> said that they could be viewed if their source was viewed, by telling
> me that they would be only processed by the server itself, which still
> doesn't make me feel good at all.
>
> Shouldn't the password be encrypted? Seperated in their own file?
>
> Is it correct to assume that an attacker who elevated their
> priveledges on the web box could view these files and gain access too
> the database that way through some other method?
>
> What else can be done by an attacker against asp pages that would
> allow this data to be discovered?
>
> Also if I could actually just demonstrate it right before their eyes
> that would be a big help.
>
> Thanks for any advice.
>
> Ian
> :)
>
>
>
> Go to www.missingkids.com
>
> Though the words, opinions, and/or policies expressed herein are
> probably right, and most likely right if you disagree with them, they
> are the personal words, opinions, and/or policies of the person using
> this account. They are not, and the author does not claim they are,
> the words, opinions, and/or policies of the company and officers of
> Merrill Information Systems Inc., any forum they are placed in, or any
> entity other then the author himself that they may appear to
> represent. That being said, the author probably thinks they should be
> the opinion of those bodies, unless he is playing the devil's
> advocate.
>
> Send complaints or compliments to the author at:
>
> ianian@333ki ngc on.com
>
> Taking out all numbers and spaces and the first ian in the address,
> because spammers use bots, some mailing lists block this information
> from prying eyes, and people who pay attention can follow
> instructions.
>
>
>
> ---------------------------------------------------------------------
> ------ Ethical Hacking at the InfoSec Institute. Mention this ad and
> get $545 off any course! All of our class sizes are guaranteed to be
> 10 students or less to facilitate one-on-one interaction with one of
> our expert instructors. Attend a course taught by an expert instructor
> with years of in-the-field pen testing experience in our state of the
> art hacking lab. Master the skills of an Ethical Hacker to better
> assess the security of your organization. Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ---------------------------------------------------------------------
> -------
>
-- Hand over the Slackware CD's and back AWAY from the computer, your geek rights have been revoked !!! Michael Gale Slackware user :) Bluesuperman.com --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
- Previous message: marcelo: "Wireless Card config for Searching APs"
- Maybe in reply to: ian_at_kingcon.com: "passwords in asp pages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
