Vulnerability Development mailing list archives
[no subject]
From: Chris Tobkin <tobkin () INTERSEC COM>
Date: Wed, 9 Aug 2000 11:21:36 -0500
In certain IIS/4.0 configurations with ASP (assumption because the file seems to be an ASP include) and SQL Server running (unknown version), http://server/include/dbconfig.inc reveals the DSN, username and password to the database being utilised by the website. Does anyone know about this and under what configuration conditions does this occur? Or is just poor configuration on the IIS server revealing the include directory for ASP scripts run on the site? I think it maybe the latter but I'm no NT/IIS security guru.
Since the include file is being parsed by asp (by being included) its file extention should also be associated with the ASP.dll. Otherwise, all ASP (and included) content should be in Script/Execute only (depending on your version of IIS) directories. Active content should be in a different virtual directory from static content. Active content should be Script only, not Read. And static content should be Read only, not Script or Execute. (Note: all the permissions above are IIS only, not filesystem permissions.) I believe someone released an advisory or short note on bugtraq or ntbugtraq about .inc files and how they should be handled, which I also posted to. // chris tobkin () intersec com CCSA/CCSE/MCP
Current thread:
- [no subject] Chris Tobkin (Aug 10)