Re: [PEN-TEST] HTML source code and authentication

[c0ncept <c0ncept () 403-SECURITY ORG>]

        It looks like your ibank.dll is an ISAPI extension (consult
msdn.microsoft.com, CHttpServer). The name of the extension appearing in the
source should not be an issue, any more than the name of a cgi or perl
script.
        If the scripts directory is vulnerable to the unicode vulnerability,
however, the DLL could be downloaded. It could have a DSN hardcoded into it
or the filename of an external DSN containing the location and password of
the database containing the database with your membership information.
        If you _do_ wish to obscure this information, you could rewrite ibank.dll
as an ISAPI Filter, in which case it would be loaded by IIS and handle files
based on their extensions, rather than explicitly mentioning the file name
in the code.


--c0ncept

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Skinner, Tim L.
Sent: Monday, December 18, 2000 11:13 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] HTML source code and authentication


Hi all,

I must first appologize about my general ignorance of HTML, but I've been
asked to look into this.  I have a question regarding the source code of a
web page that authenticates users.  The snipit of source code from the web
page in question is as follows:

#<H2><font color=9771824>Member Sign On</font></H2>
#<form name="signon" action="/scripts/ibank.dll" method=post>
#<INPUT TYPE ="HIDDEN" NAME=Func VALUE="SignOn">
#<INPUT TYPE=HIDDEN NAME=Frames VALUE="150">
#<INPUT TYPE ="HIDDEN" NAME=homepath VALUE="cu3">

It leaves me wondering if the referenced ibank.dll file is some
authentication program of some sort and if the availability of this
information simply by clicking on 'view source' is a potential problem.
Furthermore, is there a way to obscure this information if it is risk?