Re: passwords in asp pages

[Michael Gale <michael () bluesuperman com>]

Hello,

        I believe a hacker would have to compromise the box in order to see the
passwords, unless it is printed to the client via a web page or http
eviro variable. 

Is the site available via http or https ? If it is http then a sniffer
will show the passwords, it should be HTTPS.

Michael.



On Tue, 9 Mar 2004 09:00:11 -0500
"" <ian () kingcon com> wrote:

> I am new to security and I have no training in asp programming, so I
> am wondering if I am right in being scared of the following
> instance...
>
> A IIS based website which has asp pages which contain plaintext
> passwords for credentials to an sql database on another machine.  The
> passwords are in between <% %> so I assume that means they are only
> processed on the server and the user does not see them, and there do
> not seem to be any .inc files calling these pages.  The server is also
> up to date with patches as far as I know.
>
> This situation really bothers me, but I'm not experienced enough too
> know how it could be exploited or whether it could be exploited at
> all.  I just don't like the fact that passwords to a db user are
> scattered all over the website.  I need something to make it easy to
> say to the people responsible... "Here look this is what can be done
> to the website to gather the passwords and destroy your data.  I don't
> think it is wise you do this, it is in your best interests to change
> this pattern."  The programmer seemed to just brush it off, when I
> said that they could be viewed if their source was viewed, by telling
> me that they would be only processed by the server itself, which still
> doesn't make me feel good at all.
>
> Shouldn't the password be encrypted?  Seperated in their own file?  
>
> Is it correct to assume that an attacker who elevated their
> priveledges on the web box could view these files and gain access too
> the database that way through some other method?  
>
> What else can be done by an attacker against asp pages that would
> allow this data to be discovered?
>
> Also if I could actually just demonstrate it right before their eyes
> that would be a big help.
>
> Thanks for any advice.
>
> Ian
> :)
>
>
>
> Go to www.missingkids.com
>
> Though the words, opinions, and/or policies expressed herein are
> probably right, and most likely right if you disagree with them, they
> are the personal words, opinions, and/or policies of the person using
> this account.  They are not, and the author does not claim they are,
> the words, opinions, and/or policies of the company and officers of
> Merrill Information Systems Inc., any forum they are placed in, or any
> entity other then the author himself that they may appear to
> represent.  That being said, the author probably thinks they should be
> the opinion of those bodies, unless he is playing the devil's
> advocate.
>
> Send complaints or compliments to the author at:
>
> ianian@333ki ngc on.com
>
> Taking out all numbers and spaces and the first ian in the address,
> because spammers use bots, some mailing lists block this information
> from prying eyes, and people who pay attention can follow
> instructions. 
>
>
>
> ---------------------------------------------------------------------
> ------ Ethical Hacking at the InfoSec Institute. Mention this ad and
> get $545 off any course! All of our class sizes are guaranteed to be
> 10 students or less to facilitate one-on-one interaction with one of
> our expert instructors. Attend a course taught by an expert instructor
> with years of in-the-field pen testing experience in our state of the
> art hacking lab. Master the skills of an Ethical Hacker to better
> assess the security of your organization. Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ---------------------------------------------------------------------
> -------


-- 
Hand over the Slackware CD's and back AWAY from the computer, your geek
rights have been revoked !!!

Michael Gale
Slackware user :)
Bluesuperman.com 

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------