RE: passwords in asp pages

["patrick" <patrick () curioustechnology com>]

Ian,

You are right to be concerned.  This technique is not considered a "best
practice" for web applications.  They should be leveraging active directory
and using integrated security for connecting to the database- this will
remove cleartext passwords from the files.  It also allows for the
flexibility to actually utilize the credentials of the visitor if they're
using the application within a credentialed intranet.

Check out the keywords "Integrated Security or Trusted_Connection" and
"ConnectionString" with relation to ADO.net.


As far as a demonstrated exploit, you only need to find some way of getting
access to the machine's files directly.  You might investigate if the
machine is vulnerable to the ASP::$DATA Vulnerability, where you could just
grab the raw asp source from the server.  This exploit looked like the
following:

http://[serverName]/[webpage.asp]::$DATA


http://192.168.0.1/index.asp::$DATA


That's just off the top of my head... any way that you can get direct access
to those files will demonstrate it (unsecured ftp... canonical attacks...
etc).  Hey, anyone with access to the server suddenly can see passwords for
accounts that are not theirs... that alone is easy enough to demo.  



-----Original Message-----
From: ian () kingcon com [mailto:ian () kingcon com] 
Sent: Tuesday, March 09, 2004 6:00 AM
To: SECURITY-BASICS () securityfocus com
Subject: passwords in asp pages

I am new to security and I have no training in asp programming, so I am
wondering if I am right in being scared of the following instance...

A IIS based website which has asp pages which contain plaintext passwords
for credentials to an sql database on another machine.  The passwords are in
between <% %> so I assume that means they are only processed on the server
and the user does not see them, and there do not seem to be any .inc files
calling these pages.  The server is also up to date with patches as far as I
know.

This situation really bothers me, but I'm not experienced enough too know
how it could be exploited or whether it could be exploited at all.  I just
don't like the fact that passwords to a db user are scattered all over the
website.  I need something to make it easy to say to the people
responsible... "Here look this is what can be done to the website to gather
the passwords and destroy your data.  I don't think it is wise you do this,
it is in your best interests to change this pattern."  The programmer seemed
to just brush it off, when I said that they could be viewed if their source
was viewed, by telling me that they would be only processed by the server
itself, which still doesn't make me feel good at all.

Shouldn't the password be encrypted?  Seperated in their own file?  

Is it correct to assume that an attacker who elevated their priveledges on
the web box could view these files and gain access too the database that way
through some other method?  

What else can be done by an attacker against asp pages that would allow this
data to be discovered?

Also if I could actually just demonstrate it right before their eyes that
would be a big help.

Thanks for any advice.

Ian
:)



Go to www.missingkids.com

Though the words, opinions, and/or policies expressed herein are probably
right, and most likely right if you disagree with them, they are the
personal words, opinions, and/or policies of the person using this account.
They are not, and the author does not claim they are, the words, opinions,
and/or policies of the company and officers of Merrill Information Systems
Inc., any forum they are placed in, or any entity other then the author
himself that they may appear to represent.  That being said, the author
probably thinks they should be the opinion of those bodies, unless he is
playing the devil's advocate.

Send complaints or compliments to the author at:

ianian@333ki ngc on.com

Taking out all numbers and spaces and the first ian in the address, because
spammers use bots, some mailing lists block this information from prying
eyes, and people who pay attention can follow instructions. 



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------