[no subject]

[Chris Tobkin <tobkin () INTERSEC COM>]

> In certain IIS/4.0 configurations with ASP (assumption because the
> file seems to be an ASP include) and SQL Server running (unknown
> version), http://server/include/dbconfig.inc reveals the DSN,
> username and password to the database being utilised by the website.
> Does anyone know about this and under what configuration conditions
> does this occur? Or is just poor configuration on the IIS server
> revealing the include directory for ASP scripts run on the site? I
> think it maybe the latter but I'm no NT/IIS security guru.

Since the include file is being parsed by asp (by being included) its file
extention should also be associated with the ASP.dll.  Otherwise, all ASP
(and included) content should be in Script/Execute only (depending on your
version of IIS) directories.  Active content should be in a different
virtual directory from static content.  Active content should be Script
only, not Read.  And static content should be Read only, not Script or
Execute.  (Note: all the permissions above are IIS only, not filesystem
permissions.)

I believe someone released an advisory or short note on bugtraq  or
ntbugtraq about .inc files and how they should be handled, which I also
posted to.

// chris
tobkin () intersec com
CCSA/CCSE/MCP