WebApp Sec mailing list archives

Re: Prevent security bypass

From: "Ernie Nelson" <Juridian () juridian com>
Date: Fri, 7 Feb 2003 17:48:25 -0800

A simpler method that requires less work is to simply name your include with
the .asp extension.  If you feel the need to mark it as an include prefixing
the filename with inc_ (such as inc_secure.asp).  That way even if the
directories aren't configured right, the code is stripped out and harmless.

I know I'm going to catch sh!t here cause I used .inc, but you can easily
mitigate this by turning off read access in IIS to directories that only
hold files included by other files (such as /scripts/)

Current thread:

RE: Prevent security bypass, (continued)
- RE: Prevent security bypass Adam (Feb 05)
  - Re: Prevent security bypass Chris Travers (Feb 06)
    - RE: Prevent security bypass Adam (Feb 06)
    - RE: Prevent security bypass Larry Seltzer (Feb 06)
    - Re: Prevent security bypass Chris Travers (Feb 06)
- Re: Prevent security bypass Ulrich P. (Feb 05)
  - Re: Prevent security bypass Chris Travers (Feb 04)
  - Re: Prevent security bypass c3rb3r (Feb 04)
  - Re: Prevent security bypass Adrian Wiesmann (Feb 04)
- Re: Prevent security bypass sunzi (Feb 07)
  - Re: Prevent security bypass Ernie Nelson (Feb 07)
    - HTTP Header and POST Data Exploitation Rahul Chander Kashyap (Feb 08)
    - RE: HTTP Header and POST Data Exploitation Indian Tiger (Feb 09)
- Re: Prevent security bypass Ken Rachynski (Feb 04)
- RE: Prevent security bypass David Cameron (Feb 04)
  - RE: Prevent security bypass Vinny Bedus (Feb 05)
    - Re: Prevent security bypass Chris Travers (Feb 05)
- RE: Prevent security bypass Logan F.D. Greenlee (Feb 05)
- RE: Prevent security bypass Kim Christiansen (Feb 05)
- RE: Prevent security bypass Mark Mcdonald (Feb 05)
  - Re[2]: Prevent security bypass M. Austin Hill (Feb 05)

(Thread continues...)