RE: passwords in asp pages

["MARTIN M. Bénoni" <benoni_martin () hotmail com>]

> From: "" <ian () kingcon com>
> To: SECURITY-BASICS () securityfocus com
> Subject: passwords in asp pages
> Date: Tue, 9 Mar 2004 09:00:11 -0500
>
> I am new to security and I have no training in asp programming, so I am 
> wondering if I am right in being scared of the following instance...

Well, There is always a point to start! :)

> A IIS based website which has asp pages which contain plaintext passwords 
> for credentials to an sql database on another machine.  The passwords are 
> in between <% %> so I assume that means they are only processed on the 
> server and the user does not see them, and there do not seem to be any .inc 
> files calling these pages.  The server is also up to date with patches as 
> far as I know.
Watch out! A patched server do not mean a secure server!! And I quite agree 
that passwords shoud at least be hached with somthing like MD5 or SHA-1!

> This situation really bothers me, but I'm not experienced enough too know 
> how it could be exploited or whether it could be exploited at all.  I just 
> don't like the fact that passwords to a db user are scattered all over the 
> website.  I need something to make it easy to say to the people 
> responsible... "Here look this is what can be done to the website to gather 
> the passwords and destroy your data.  I don't think it is wise you do this, 
> it is in your best interests to change this pattern."  The programmer 
> seemed to just brush it off, when I said that they could be viewed if their 
> source was viewed, by telling me that they would be only processed by the 
> server itself, which still doesn't make me feel good at all.
Well, I am not an ASP programmer neither, but I agree with the fact that 
clear-text passwords are not at all recommended!! As I said above, at least 
hached, and even in a separated file accessible only by the admin of the 
server. At least that!


> Shouldn't the password be encrypted?  Seperated in their own file?
>
> Is it correct to assume that an attacker who elevated their priveledges on 
> the web box could view these files and gain access too the database that 
> way through some other method?
That's correct, but depend as well of many things: how is partitioned the 
server? what are the security settings on the server? ...

> What else can be done by an attacker against asp pages that would allow 
> this data to be discovered?
>
> Also if I could actually just demonstrate it right before their eyes that 
> would be a big help.
>
> Thanks for any advice.
>
> Ian
> :)
>
>
>
> Go to www.missingkids.com
>
> Though the words, opinions, and/or policies expressed herein are probably 
> right, and most likely right if you disagree with them, they are the 
> personal words, opinions, and/or policies of the person using this account. 
>  They are not, and the author does not claim they are, the words, 
> opinions, and/or policies of the company and officers of Merrill 
> Information Systems Inc., any forum they are placed in, or any entity other 
> then the author himself that they may appear to represent.  That being 
> said, the author probably thinks they should be the opinion of those 
> bodies, unless he is playing the devil's advocate.
>
> Send complaints or compliments to the author at:
>
> ianian@333ki ngc on.com
>
> Taking out all numbers and spaces and the first ian in the address, because 
> spammers use bots, some mailing lists block this information from prying 
> eyes, and people who pay attention can follow instructions.
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the 
> skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------