Re: ASP security in HTML pages

["Matt Fisher" <mattfisher () comcast net>]

As previously described this would indeed be a "fatal misconfiguration" but
would also be mind-boggling rare; one would have to actually never browse
the site they had just built to not have this smack them on the nose.

Bizzare misconfigs or daemon vulns aside, the far most common source of
source code disclosure is finding executable pages with non-executable
extensions.   Combine it with an accidental directory browsing, and your
source is now cached on google.

And as previously stated, never save script in a .html file.  Defeats the
whole purpose.  Instead, save *all* your files, even those without script in
them, as a script file.  The engine will serve the HTML just fine, and you
won't stand to make a costly extension mistake.

Don't ftp archived (i.e. "zipped") to the site and leave the archive out
there either; the archives are binary at that point - not executable pages -
and completely downloadable.  Nothing will ruin your week/month/job worse
than finding out someone just downloaded your entire application.

MF



----- Original Message ----- 
From: "Auri Rahimzadeh" <auri () auri net>
To: "'Scovetta, Michael V'" <Michael.Scovetta () ca com>; "'Bénoni MARTIN'"
<Benoni.MARTIN () libertis ga>; <security-basics () securityfocus com>;
<webappsec () securityfocus com>
Sent: Thursday, June 24, 2004 5:04 PM
Subject: RE: ASP security in HTML pages


Although, to be sure, if you don't have your server configured properly,
i.e. where ASP may be configured improperly, you can serve .asp files just
as if someone requested a .zip file -- it would send the whole file. The
easiest way to tell is when you try hitting an .asp file if IE renders a
page, or just asks you to download the document. I imagine this would be
rare in an IIS configuration, but if you're using something else then it may
be a situation more possible to encounter.

Best,

-Auri

: -----Original Message-----
: From: Scovetta, Michael V [mailto:Michael.Scovetta () ca com]
: Sent: Tuesday, June 22, 2004 1:21 PM
: To: Bénoni MARTIN; security-basics () securityfocus com;
: webappsec () securityfocus com
: Subject: RE: ASP security in HTML pages
:
: Benoni,
:    Actually, neither of those are correct:
: 1. ASP code <% stuff in here %> is NOT transmitted to the client. If it
: is, then perhaps you're saving it as an .HTML file. You should save it as
: a .ASP file instead.
:
: 2. DLLs called from ASP are NOT accessible in general, unless you mis-
: configure your server. DLLs on the server should not be stored in the same
: directory as your files, obviously.
:
: 3. The point of using ASP/JSP/Perl/CGI/etc (any of the server-side
: scripting
: Languages) is to run code that the user on the other end does not see.
: That's why people use them. If it doesn't appear to be working, you
: probably have it mis-configured.
:
: Mike
:
: Michael Scovetta
: Computer Associates
: Senior Application Developer
: tel: +1 631 342 3139
: cell: +1 813 727 5772
: michael.scovetta () ca com
:
:
: > -----Original Message-----
: > From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
: > Sent: Tuesday, June 22, 2004 7:42 AM
: > To: security-basics () securityfocus com; webappsec () securityfocus com
: > Subject: ASP security in HTML pages
: >
: > Hi list,
: >
: > I have been googling around to know how secure can be ASP code, and I
: > found what follows:
: > - For a newbee, impossible to get the asp scripts inserted in an HTML
: page
: > as they are not displayed in the client's browser,
: > - Instead of just letting the ASP code in the HTML pages, we can create
: > some DLLs for example, but a not-to-bad skilled hacker can get and
: reverse
: > them.
: >
: > So, my question to you, skilled-people :) is: is there a way to get the
: > asp scripts in a page the server does not send when a client's request
: > arrives? There should be a way to ^perform that, but how tough is it?
: >
: > Thanks in advance, folks!
: >
: >
:



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------