Bugtraq mailing list archives
Re: ASP Security Hole (fwd)
From: systhine () TAMPABAY RR COM (Rob Systhine)
Date: Thu, 10 Feb 2000 17:29:14 -0500
My version of this document... Any decent web programmer will hammer at his application interfaces inputting randomly for at least an hour or so per 500 lines of code trying to break his/her own program. That after painstakingly ensuring only certain input is allowed to go where it needs to be, thus preventing errors from the get-go. <hint, hint> But, as Jerry has very graciously (hate to be altavista right now) pointed out, many applications are nowhere near flawless, from a UI standpoint. All the examples (URLs) given were examples of not primarily coding errors, but webserver configuration errors. Sure, the app broke, but the webserver didn't protect the application at all... IIS has configuration options to help keep your fallen apps from exposing you as a lowsy coder: App/Config in IIS4.0 MMC allows you to change the way IIS handles errors. Choose to send simple, custom, and polite error messages instead of allowing IIS to broadcast the address of your grossly broken code.
- Look for search results that include the full path and filename for an include (.inc) file
Remember asp scripts and includes called from ASP scripts do not need IIS read permissions
- Security administrators need to secure the ASP include files so that external users can not view them.
"I get a chill every time my code is exposed." -Rob Systhine <systhine () tampabay rr com> -IT/Ryno Innovate Company
Current thread:
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory), (continued)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Barclay Osborn (Feb 04)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) van der Meulen, Robert (Feb 05)
- DBI bind values [was Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)] Kelly.Setzer () INGRAMENTERTAINMENT COM (Feb 07)
- Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0 Jamie Fifield (Feb 05)
- Re: Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0 Torsten Landschoff (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) rain forest puppy (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Smith, Eric V. (Feb 09)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) W. Craig Trader (Feb 09)
- FireWall-1 FTP Server Vulnerability John McDonald (Feb 09)
- ASP Security Hole (fwd) bgreenbaum () SECURITYFOCUS COM (Feb 09)
- Re: ASP Security Hole (fwd) Rob Systhine (Feb 10)
- Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability Mikael Olsson (Feb 10)
- NT Service Pack requirements (Bell Atlantic DSL) Bob Kline (Feb 10)
- Re: NT Service Pack requirements (Bell Atlantic DSL) Jonathan M. Bresler (Feb 11)