RE: ASP security in HTML pages

From: Dinis Cruz (dinis_at_ddplus.net)
Date: 06/28/04

  • Next message: Jef Feltman: "RE: Which Windows OS is Safest"
    To: "'Calderon, Juan Carlos (GE Commercial Finance, NonGE)'" <juan.calderon@ge.com>, "'Steve McCullough'" <website@showmethesmut.com>, <security-basics@securityfocus.com>, <webappsec@securityfocus.com>
    Date: Mon, 28 Jun 2004 21:50:43 +0100
    
    

    It wasn't misconfiguration since the Website was working perfectly before
    that (for several months).

    My opinion (since FastHosts didn't give me access to the logs) is that the
    .Net framework somehow got corrupted.

    Comments from FastHost's support staff (in March 2004):

    "...The .Net Framework appeared to have become corrupted on the domain,
    after reinstalling the framework via the control panel, this resolved the
    issue. We can't guarantee this won't happen again and sadly it's not
    possible for me to find out the exact reason as to why this occured, however
    this is a very rare occurance and it is extremely unlikely the issue will
    reoccur..."

    And

    "... Personally, I have only seen this issue occur once in the past 8
    months. In what respect do you require logs? You can see the standard
    logfiles for your site within the 'logfiles' folder on the domain's FTP,
    however no other logs are available. ..."

    I haven't had time to further investigate this since it would be very useful
    to understand the cause of the problem (although FastHosts have already seen
    this problem at least twice).

    Dinis

    > -----Original Message-----
    > From: Calderon, Juan Carlos (GE Commercial Finance, NonGE)
    > [mailto:juan.calderon@ge.com]
    > Sent: 28 June 2004 15:15
    > To: Dinis Cruz; Steve McCullough; security-basics@securityfocus.com;
    > webappsec@securityfocus.com
    > Subject: RE: ASP security in HTML pages
    >
    > Hello Dinis
    >
    > IMHO this occurred because .Net Framework was not correctly installed,
    > more specific the ISAPI extension, this is a common error when the .NET
    > Framework is intalled after IIS is for example. so IIS shows aspx pages
    > content instead of process it.
    >
    > Regards
    > JC
    >
    > -----Original Message-----
    > From: Dinis Cruz [mailto:dinis@ddplus.net]
    > Sent: Sunday, June 27, 2004 12:10 PM
    > To: 'Steve McCullough'; security-basics@securityfocus.com;
    > webappsec@securityfocus.com
    > Subject: RE: ASP security in HTML pages
    >
    >
    > On the point of IIS 6.0 disclosing source code, I have already experienced
    > in one of my test ISP accounts (with FastHosts.com) a situation where the
    > source code of the Asp.Net pages was being sent directly to the client
    > (i.e.
    > the *.aspx was being handled as a normal webpage).
    >
    > Fasthosts refused to give me more details about the circumstances around
    > the
    > event (like logs, open threads, debug information, etc...) so I was not
    > able
    > to find more information about what caused the problem in the first place.
    >
    > Dinis
    >
    > > -----Original Message-----
    > > From: Steve McCullough [mailto:website@showmethesmut.com]
    > > Sent: 25 June 2004 12:30
    > > To: security-basics@securityfocus.com; webappsec@securityfocus.com
    > > Subject: RE: ASP security in HTML pages
    > >
    > > Hi all,
    > >
    > > I'd like to point out that there have been plenty of ways to get IIS to
    > > reveal ASP source code. Some examples:
    > > http://www.securityfocus.com/bid/2909/info/
    > > http://www.microsoft.com/technet/security/bulletin/MS01-004.mspx
    > >
    > http://www.netscreen.com/services/security/di_resource_center/threat_defin
    > > it
    > > ions.jsp?id=91
    > >
    > > As _Hacking Web Applications Exposed_ puts it: "With the track record
    > that
    > > IIS has had in the source disclosure department, it's never a good idea
    > to
    > > assume that someone won't be able to view your source code" (55).
    > >
    > > It's sometimes suggested that scripters wrap database connection
    > strings,
    > > encryption keys, and other sensitive information in COM objects to keep
    > > them
    > > private. Are there alternatives? What sorts of strategies do people use
    > to
    > > keep their script contents confidential?
    > >
    > > Steve
    > >
    > >
    > > -----
    > > Steve McCullough
    > > Web designer
    > > > www.venusenvy.ca
    > > > www.showmethesmut.com
    > >
    > >
    > >
    > > -----Original Message-----
    > > From: Harrison Gladden [mailto:linuxguru80@yahoo.com]
    > > Sent: Thursday, June 24, 2004 6:51 PM
    > > To: Binoni_MARTIN
    > > Cc: security-basics@securityfocus.com; webappsec@securityfocus.com
    > > Subject: RE: ASP security in HTML pages
    > >
    > >
    > > The replies still stand. The only way the unprocessed
    > > asp page will make it to the client is if there is a
    > > "fatal" flaw/misconfiguration of the IIS server.
    > > Otherwise all request for the file via the http web
    > > server will be processed by the asp dll engine.
    > > However if you request the file via ftp or something
    > > of the sort then yes you will get the unprocesses code
    > > back from the server.
    > >
    > > ~Harrison
    > > --- Binoni_MARTIN <Benoni.MARTIN@libertis.ga> wrote:
    > > > Well, it seems I have not been very shape in my last
    > > > posting. I know ASP code is executed on the server's
    > > > side, and not in the client's browser (it will just
    > > > receive the results of the scriting).
    > > >
    > > > But if a client requests "toto.asp", despite of if
    > > > it will receive the "toto.asp" WITHOUT the ASP
    > > > scripts, the server has a "full toto.asp" WITH the
    > > > asp scripts. So my question was: as the server has
    > > > in his directory this "full toto.asp", is there a
    > > > way to get the "full toto.asp" from the server?
    > > >
    > > >
    > >
    > >
    > >
    >
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Jef Feltman: "RE: Which Windows OS is Safest"

    Relevant Pages

    • Re: Workstations are going offline! Help!
      ... Right about IIS, and right that the 0 indicates passwords never expire. ... Event logs are the first place to go for troubleshooting services for ... Settings -> Security Settings and click Password Policy. ... No errors on startup, no offline icons, synchronizing is ...
      (microsoft.public.windows.server.sbs)
    • Re: IIS logging issue
      ... Subject: IIS logging issue ... > /index%2easp becomes /index.asp and is shown as that in the logfile. ... I don't know about the documentation of IIS, ... > These days logs are used very often to prove illegal activity. ...
      (NT-Bugtraq)
    • Error messages after installing .Net Framework 1.1
      ... Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. ... To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using ... which says there is an issue with .NET Framework ... performance counters and referred me to KB 307515, ...
      (microsoft.public.windowsxp.general)
    • Re: Page Cannot Be Displayed Errors
      ... not IIS, but something else. ... >>> directly on the web server, ... >>>>> I have done some additional checking in the logs. ... >>>>> either the request isn't even getting to IIS at this point, ...
      (microsoft.public.inetserver.iis)
    • Re: Cannot open the /connectcomputer site
      ... performancee logs and alerts service. ... There is no connectcomputer site in IIS. ... what errors are in the event logs on the server? ...
      (microsoft.public.windows.server.sbs)