RE: ASP security in HTML pages

["Dinis Cruz" <dinis () ddplus net>]

On the point of IIS 6.0 disclosing source code, I have already experienced
in one of my test ISP accounts (with FastHosts.com) a situation where the
source code of the Asp.Net pages was being sent directly to the client (i.e.
the *.aspx was being handled as a normal webpage).

Fasthosts refused to give me more details about the circumstances around the
event (like logs, open threads, debug information, etc...) so I was not able
to find more information about what caused the problem in the first place.

Dinis

> -----Original Message-----
> From: Steve McCullough [mailto:website () showmethesmut com]
> Sent: 25 June 2004 12:30
> To: security-basics () securityfocus com; webappsec () securityfocus com
> Subject: RE: ASP security in HTML pages
>
> Hi all,
>
> I'd like to point out that there have been plenty of ways to get IIS to
> reveal ASP source code. Some examples:
> http://www.securityfocus.com/bid/2909/info/
> http://www.microsoft.com/technet/security/bulletin/MS01-004.mspx
> http://www.netscreen.com/services/security/di_resource_center/threat_defin
> it
> ions.jsp?id=91
>
> As _Hacking Web Applications Exposed_ puts it: "With the track record that
> IIS has had in the source disclosure department, it's never a good idea to
> assume that someone won't be able to view your source code" (55).
>
> It's sometimes suggested that scripters wrap database connection strings,
> encryption keys, and other sensitive information in COM objects to keep
> them
> private. Are there alternatives? What sorts of strategies do people use to
> keep their script contents confidential?
>
> Steve
>
>
> -----
> Steve McCullough
> Web designer
> > www.venusenvy.ca
> > www.showmethesmut.com
>
>
>
> -----Original Message-----
> From: Harrison Gladden [mailto:linuxguru80 () yahoo com]
> Sent: Thursday, June 24, 2004 6:51 PM
> To: Binoni_MARTIN
> Cc: security-basics () securityfocus com; webappsec () securityfocus com
> Subject: RE: ASP security in HTML pages
>
>
> The replies still stand.  The only way the unprocessed
> asp page will make it to the client is if there is a
> "fatal" flaw/misconfiguration of the IIS server.
> Otherwise all request for the file via the http web
> server will be processed by the asp dll engine.
> However if you request the file via ftp or something
> of the sort then yes you will get the unprocesses code
> back from the server.
>
> ~Harrison
> --- Binoni_MARTIN <Benoni.MARTIN () libertis ga> wrote:
> > Well, it seems I have not been very shape in my last
> > posting. I know ASP code is executed on the server's
> > side, and not in the client's browser (it will just
> > receive the results of the scriting).
> >
> > But if a client requests "toto.asp", despite of if
> > it will receive the "toto.asp" WITHOUT the ASP
> > scripts, the server has a "full toto.asp" WITH the
> > asp scripts. So my question was: as the server has
> > in his directory this "full toto.asp", is there a
> > way to get the "full toto.asp" from the server?