passwords in asp pages

["" <ian () kingcon com>]

I am new to security and I have no training in asp programming, so I am wondering if I am right in being scared of the 
following instance...

A IIS based website which has asp pages which contain plaintext passwords for credentials to an sql database on another 
machine.  The passwords are in between <% %> so I assume that means they are only processed on the server and the user 
does not see them, and there do not seem to be any .inc files calling these pages.  The server is also up to date with 
patches as far as I know.

This situation really bothers me, but I'm not experienced enough too know how it could be exploited or whether it could 
be exploited at all.  I just don't like the fact that passwords to a db user are scattered all over the website.  I 
need something to make it easy to say to the people responsible... "Here look this is what can be done to the website 
to gather the passwords and destroy your data.  I don't think it is wise you do this, it is in your best interests to 
change this pattern."  The programmer seemed to just brush it off, when I said that they could be viewed if their 
source was viewed, by telling me that they would be only processed by the server itself, which still doesn't make me 
feel good at all.

Shouldn't the password be encrypted?  Seperated in their own file?  

Is it correct to assume that an attacker who elevated their priveledges on the web box could view these files and gain 
access too the database that way through some other method?  

What else can be done by an attacker against asp pages that would allow this data to be discovered?

Also if I could actually just demonstrate it right before their eyes that would be a big help.

Thanks for any advice.

Ian
:)



Go to www.missingkids.com

Though the words, opinions, and/or policies expressed herein are probably right, and most likely right if you disagree 
with them, they are the personal words, opinions, and/or policies of the person using this account.  They are not, and 
the author does not claim they are, the words, opinions, and/or policies of the company and officers of Merrill 
Information Systems Inc., any forum they are placed in, or any entity other then the author himself that they may 
appear to represent.  That being said, the author probably thinks they should be the opinion of those bodies, unless he 
is playing the devil's advocate.

Send complaints or compliments to the author at:

ianian@333ki ngc on.com

Taking out all numbers and spaces and the first ian in the address, because spammers use bots, some mailing lists block 
this information from prying eyes, and people who pay attention can follow instructions. 



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------