RE: Outlook Web Access view include files vulnerability

[danmiller () carolina rr com]

Do not let web users access asp include files. They should
only be accessed by the user running the asp scripts
(usually IWAM_MACHINENAME). I used to associate .inc files
with the asp dll so that the source wouldn't be returned to
the user (if you have patched all the MS view source bugs),
but I don't know if you can pass parameters to them or if
there would be any other ill
effects.