WebApp Sec mailing list archives
Re: ASP security in HTML pages
From: Dominic Cleal <domnews () computerkb co uk>
Date: Tue, 29 Jun 2004 07:38:59 +0100
On Mon, 28 Jun 2004 11:22:11 -0400 "Calderon, Juan Carlos (GE Commercial Finance, NonGE)" <juan.calderon () ge com> wrote:
Hi! From my point of view the easiest way is to use the "frendly" pages to show code like ShowCode.asp page at IIS samples. (Background) http://support.microsoft.com/default.aspx?scid=kb;en-us;232449 (Exploit) http://www.atstake.com/research/advisories/1999/showcode.txt (Both) http://www.securityfocus.com/infocus/1317 Cheers JC
If he's paranoid about the system config and fears that his sysadmin might accidently mis-configure the server then he might be able to use a ShowCode.asp like system to retrieve and show pages. Depending on his level of paranoia, he could use the same code as ShowCode.asp but with heavy checking to ensure that nobody uses that exploit, but he'd have to be extremely sure or stupid in case there are other ways to exploit it. He could otherwise make an index page, which takes a passed variable (page=home, page=sales etc) and a select case inside the script - each case has an include to a file outside the web serving path. Then if the script gets sent out, all they see is a select case with a load of includes - they'd know where the files were stored, but as they're outside the serving directory, as long as there no more exploits, they're safe. If he's got loads of pages, he could do a similar thing by replacing each page with a page that just has an include to the actual code (stored outside the serving directory again). The maintenace might not be fun, but it all depends on how much he trusts his sysadmin! -- Dominic Cleal dominic () computerkb co uk
Current thread:
- Re: ASP security in HTML pages, (continued)
- Re: ASP security in HTML pages Lucas Holt (Jun 23)
- RE: ASP security in HTML pages Wolf, Yonah (Jun 23)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 24)
- RE: ASP security in HTML pages Auri Rahimzadeh (Jun 24)
- Re: ASP security in HTML pages Matt Fisher (Jun 26)
- RE: ASP security in HTML pages Auri Rahimzadeh (Jun 24)
- RE: ASP security in HTML pages BĂ©noni MARTIN (Jun 25)
- RE: ASP security in HTML pages Harrison Gladden (Jun 24)
- RE: ASP security in HTML pages Steve McCullough (Jun 26)
- RE: ASP security in HTML pages Dinis Cruz (Jun 27)
- RE: ASP security in HTML pages Harrison Gladden (Jun 24)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 28)
- Re: ASP security in HTML pages Dominic Cleal (Jun 29)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 28)
- RE: ASP security in HTML pages Dinis Cruz (Jun 28)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 28)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 28)