Security Basics mailing list archives
Patching IIS (was - RE: ASP security in HTML pages)
From: "Wolf, Yonah" <Yonah.Wolf () ujc org>
Date: Mon, 28 Jun 2004 14:25:41 -0400
All, I seems that a lot of these responses are pointing out age-old flaws in ASP - stuff that was around 3-4 years ago. If someone were to properly configure and/or patch their server (say, by running the IIS lockdown tool) they would not be exposed to these vulnerabilities. In light of that I just wanted to point out several things: - It's not the holes you close, but the ones you need to keep open that you need to worry about (hence the need for web app security) - I understand if someone gets taken by a new flaw when it first comes out, but it is a sorry state of affairs when ASP flaws from 3 years ago are still being exploited - I just can't understand why well-known security patches aren't being applied!?!? - Steps to protect your source code, especially if that code is contained in scripts, is like the false security of a life preserver in shark-infested waters - it will help you, but to a point. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Patching IIS (was - RE: ASP security in HTML pages) Wolf, Yonah (Jun 28)