RE: ASP security in HTML pages
From: Calderon, Juan Carlos (GE Commercial Finance, NonGE) (juan.calderon_at_ge.com)
Date: 06/28/04
- Previous message: Simon Quirk: "Re: Disaster Recovery Plan"
- Maybe in reply to: Bénoni MARTIN: "ASP security in HTML pages"
- Next in thread: Dinis Cruz: "RE: ASP security in HTML pages"
- Reply: Dinis Cruz: "RE: ASP security in HTML pages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Jun 2004 11:14:42 -0400 To: "Dinis Cruz" <dinis@ddplus.net>, "Steve McCullough" <website@showmethesmut.com>, <security-basics@securityfocus.com>, <webappsec@securityfocus.com>
Hello Dinis
IMHO this occurred because .Net Framework was not correctly installed, more specific the ISAPI extension, this is a common error when the .NET Framework is intalled after IIS is for example. so IIS shows aspx pages content instead of process it.
Regards
JC
-----Original Message-----
From: Dinis Cruz [mailto:dinis@ddplus.net]
Sent: Sunday, June 27, 2004 12:10 PM
To: 'Steve McCullough'; security-basics@securityfocus.com;
webappsec@securityfocus.com
Subject: RE: ASP security in HTML pages
On the point of IIS 6.0 disclosing source code, I have already experienced
in one of my test ISP accounts (with FastHosts.com) a situation where the
source code of the Asp.Net pages was being sent directly to the client (i.e.
the *.aspx was being handled as a normal webpage).
Fasthosts refused to give me more details about the circumstances around the
event (like logs, open threads, debug information, etc...) so I was not able
to find more information about what caused the problem in the first place.
Dinis
> -----Original Message-----
> From: Steve McCullough [mailto:website@showmethesmut.com]
> Sent: 25 June 2004 12:30
> To: security-basics@securityfocus.com; webappsec@securityfocus.com
> Subject: RE: ASP security in HTML pages
>
> Hi all,
>
> I'd like to point out that there have been plenty of ways to get IIS to
> reveal ASP source code. Some examples:
> http://www.securityfocus.com/bid/2909/info/
> http://www.microsoft.com/technet/security/bulletin/MS01-004.mspx
> http://www.netscreen.com/services/security/di_resource_center/threat_defin
> it
> ions.jsp?id=91
>
> As _Hacking Web Applications Exposed_ puts it: "With the track record that
> IIS has had in the source disclosure department, it's never a good idea to
> assume that someone won't be able to view your source code" (55).
>
> It's sometimes suggested that scripters wrap database connection strings,
> encryption keys, and other sensitive information in COM objects to keep
> them
> private. Are there alternatives? What sorts of strategies do people use to
> keep their script contents confidential?
>
> Steve
>
>
> -----
> Steve McCullough
> Web designer
> > www.venusenvy.ca
> > www.showmethesmut.com
>
>
>
> -----Original Message-----
> From: Harrison Gladden [mailto:linuxguru80@yahoo.com]
> Sent: Thursday, June 24, 2004 6:51 PM
> To: Binoni_MARTIN
> Cc: security-basics@securityfocus.com; webappsec@securityfocus.com
> Subject: RE: ASP security in HTML pages
>
>
> The replies still stand. The only way the unprocessed
> asp page will make it to the client is if there is a
> "fatal" flaw/misconfiguration of the IIS server.
> Otherwise all request for the file via the http web
> server will be processed by the asp dll engine.
> However if you request the file via ftp or something
> of the sort then yes you will get the unprocesses code
> back from the server.
>
> ~Harrison
> --- Binoni_MARTIN <Benoni.MARTIN@libertis.ga> wrote:
> > Well, it seems I have not been very shape in my last
> > posting. I know ASP code is executed on the server's
> > side, and not in the client's browser (it will just
> > receive the results of the scriting).
> >
> > But if a client requests "toto.asp", despite of if
> > it will receive the "toto.asp" WITHOUT the ASP
> > scripts, the server has a "full toto.asp" WITH the
> > asp scripts. So my question was: as the server has
> > in his directory this "full toto.asp", is there a
> > way to get the "full toto.asp" from the server?
> >
> >
>
>
>
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: Simon Quirk: "Re: Disaster Recovery Plan"
- Maybe in reply to: Bénoni MARTIN: "ASP security in HTML pages"
- Next in thread: Dinis Cruz: "RE: ASP security in HTML pages"
- Reply: Dinis Cruz: "RE: ASP security in HTML pages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
