nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Aside: ability to view ASP/ColdFusion code

From: "Andrew Staples" <andrews () ltinet net>
Date: Thu, 2 Jul 1998 10:56:27 -0700
This applies as well to perl and cgi scripts (cgi in iis3.0)

For example:
http://www.activestate.com/lyris/lyris.pl::$DATA

MS hasn't fixed their own site (heh), but they promise a fix today.
http://www.microsoft.com/default.asp::$DATA

In the meantime, Christoph Wille <Christoph.Wille () softwing com> from Sofwing
has graciously
made available an IIS ISAPI filter that will protect a site from the ::$DATA
vulnerability. You can find it at
http://www.softwing.com/iisdev/ddatafix/

Andrew

-----Original Message-----
From: Manar Hussain <manar () ivision co uk>



This isn't really a NANOG issue so I'll keep it brief - I'm mentioning it
as it's something people here may well want to consider and pass on to
customers with NT servers.

Another MS security whole allows people to access the code for
ASP/ASA/ColdFusion pages by adding ::$data to the URL.

E.g.

http://www.allaire.com/handlers/index.cfm::$DATA

http://www.watford.co.uk/global.asa::$DATA

http://www.datareturn.com/av-asp.asp::$DATA

I understand that using SiteServer or making the file non-readable (but
retaining execute permissions!) "solves" the problem.

Regards,

Manar
Previous By Date Next
Previous By Thread Next

Current thread: