WebApp Sec mailing list archives
Re: Global.asa security under IIS 6.0
From: "Matt Fisher" <mattfisher () comcast net>
Date: Wed, 9 Jun 2004 22:01:33 -0400
IIS won't serve global.asa by default, but be very careful not to make inadvertent backups of it ... they'll drop their source, and if you happen to have a dsn-less ado connection string in there .... I've also gotten them off a fine default SiteServer script (something like "viewsource.asp") but that's a whole different matter. ----- Original Message ----- From: "Michael Howard" <mikehow () microsoft com> To: "Bénoni MARTIN" <Benoni.MARTIN () libertis ga>; <webappsec () securityfocus com>; <pen-test () securityfocus com> Sent: Wednesday, June 09, 2004 1:09 PM Subject: RE: Global.asa security under IIS 6.0 Iis won't serve up global.asa to users, that said, you shouldn't store sensitive data in there either! [Writing Secure Code 2nd Edition] http://www.microsoft.com/mspress/books/5957.asp [Protect Your PC] http://www.microsoft.com/protect [Blog] http://blogs.msdn.com/michael_howard [Annual Security Training] http://mste/training/offerings.asp?offeringid=7142 -----Original Message----- From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] Sent: Tuesday, June 08, 2004 1:18 AM To: webappsec () securityfocus com; pen-test () securityfocus com Subject: Global.asa security under IIS 6.0 Hi list ! I am wondering about how much secure is the "global.asa" file in ASP. It = seems that we can gather there most of the parameters used with our ASP = pages, but it can be also a weakness if a malicious guy gets access to = it ! So anyone one knows how secure is it to use global.asa, how can we get = it from a website (IIS refuses access to it with an = http://blahblahblah.com/global.asa)...and how can we avoid people = stealing if ? Thanks in advance!
Current thread:
- Global.asa security under IIS 6.0 Bénoni MARTIN (Jun 08)
- Re: Global.asa security under IIS 6.0 saphyr (Jun 09)
- Re: Global.asa security under IIS 6.0 gcb33 (Jun 20)
- RE: Global.asa security under IIS 6.0 Don Tuer (Jun 09)
- RE: Global.asa security under IIS 6.0 Sasha Biskup (Jun 09)
- <Possible follow-ups>
- RE: Global.asa security under IIS 6.0 dinis () ddplus net (Jun 10)
- RE: Global.asa security under IIS 6.0 Michael Howard (Jun 10)
- Re: Global.asa security under IIS 6.0 Matt Fisher (Jun 09)
- Re: Global.asa security under IIS 6.0 saphyr (Jun 09)