[no subject]

[Ollie Whitehouse <ollie () DELPHISPLC COM>]

Paul,

In theory this is bad NFS permissions, as the only user that would be
require access to this is the user that the web (or to be exact the ASP
pages) are running as. The fact that anonymous user has read access is just
poor configuration.

Rgds

Ollie
-----
Ollie Whitehouse
Security Team Leader
Delphis Consulting
tel: +44 (0)20 79160200
mai: ollie () delphisplc com



-----Original Message-----
From: Paul Rogers [mailto:paul.rogers () MIS-CDS COM]
Sent: Tuesday, August 08, 2000 4:28 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject:


Hi ppl,

Can't seem to find any info about this on Microsoft's site or BugtraQ so I
thought I'd post here.

In certain IIS/4.0 configurations with ASP (assumption because the file
seems to be an ASP include) and SQL Server running (unknown version),
http://server/include/dbconfig.inc reveals the DSN, username and password to
the database being utilised by the website. Does anyone know about this and
under what configuration conditions does this occur? Or is just poor
configuration on the IIS server revealing the include directory for ASP
scripts run on the site? I think it maybe the latter but I'm no NT/IIS
security guru.

Sample output:

<%      
        Set Conn = Server.CreateObject("ADODB.Connection")
        Conn.Open "DSN=testdb;UID=user1;PWD=xxxx"
'       Conn.Open "testsite"
        
        Set SQLConn = Server.CreateObject("ADODB.Connection")
        SQLConn.Open "DSN=testdb;UID=user1;PWD=xxxx"
        
%>

Cheers,

Paul Rogers,
Network Security Analyst.

MIS Corporate Defence Solutions Limited

Tel:            +44 (0)1622 723422 (Direct Line)
                +44 (0)1622 723400 (Switchboard)
Fax:            +44 (0)1622 728580
Website:        http://www.mis-cds.com/


**********************************************************************
The information contained in this message or any of its attachments may be
privileged and confidential and intended for the exclusive use of the
addressee. If you are not the addressee any disclosure, reproduction,
distribution or other dissemination or use of this communications is
strictly prohibited.

The views expressed in this e-mail are those of the individual and not
necessarily of MIS Corporate Defense Solutions Ltd. Any prices quoted are
only valid if followed up by a formal written quote.

If you have received this transmission in error, please contact our Security
Manager on 44 (0) 1622 723400.
**********************************************************************
This e-mail and any files transmitted with it are intended solely for the
addressee and are confidential. They may also be legally
privileged.Copyright in them is reserved by Delphis Consulting PLC
["Delphis"] and they must not be disclosed to, or used by, anyone other than
the addressee.If you have received this e-mail and any accompanying files in
error, you may not copy, publish or use them in any way and you should
delete them from your system and notify us immediately.E-mails are not
secure.  Delphis does not accept responsibility for changes to e-mails that
occur after they have been sent.  Any opinions expressed in this e-mail may
be personal to the author and may not necessarily reflect the opinions of
Delphis