Re: ASP Security Hole (fwd)

[MarkieV () UWYO EDU (Mark L. VanScoyk)]

> - In the Altavisa search engine execute a search for
> +"Microsoft VBScript runtime error" +".inc, "

> - Look for search results that include the full
> path and filename for an include (.inc) file.

> - Append the include filename to the host name
> and call this up in a web browser.
> Example:  www.rodney.com/stationery/browser.inc

If you follow any of the ASP newsgroups, websites, or mailing lists they
always recommend one of 2 actions to prevent problems with include files.

1.  Associate .inc files with the asp interpreter.
2.  Name all of you include files with the .asp extension instead of .inc.
There is no reason that the files need and .inc extension.  This will insure
that if someone finds the name of your include file through an error or even
by guessing they will not see anything compromising.

In regards to the specific issues above: "Active server pages (ASP) with
runtime errors
expose a security hole that publishes the full source code name to the
caller" This can be prevented at the server level by changing the "Script
Error Messages" property in IIS from "Send detailed ASP error messages to
client" to Send text error message to client".  This property then lets you
specify what error message to send.  All further errors with simply receive
that text message instead of the actual error.