RE: .asp giving 404

[Steve Syfuhs <ssyfuhs () objectsharp com>]

What are the read/write permissions on your page versus the permissions on the working pages?

-- Sent from my Windows Phone 7 --

-----Original Message-----
From: Robin Wood
Sent: Thursday, April 14, 2011 7:23 PM
To: Calderon, Juan Carlos (GE, Corporate, consultant)
Cc: webappsec () securityfocus com
Subject: Re: .asp giving 404


On 13 April 2011 14:37, Calderon, Juan Carlos (GE, Corporate,
consultant) <juan.calderon () ge com> wrote:
> 3 things on top of my mind
>
> 1. Your page is doing a "unaware" redirection to a non existing page, so
> it is loaded, but then it redirects you (or transfer you, they are
> different in ASP) and you get the 404 error massage

I tried a page that purely did a response.write and that failed.

> 2. Antivirus is detecting and removing the shell or putting it on
> quarantine (not likely if it is a web page)

as above, that wouldn't have been blocked

> 3. IIS server is hardened and classic asp pages are "served" by 404.dll
> a dll created by MS to prevent access to pages of certain type.

The existing .asp pages worked fine.

> From memory I think it has to do with either ownership or permissions
on the files but I can't remember enough about it.

Robin

> Hope it helps,
> Juan C Calderon
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Robin Wood
> Sent: Tuesday, April 12, 2011 12:00 PM
> To: webappsec () securityfocus com
> Subject: .asp giving 404
>
> On a recent test I got FTP write access to a web server which had an ASP
> based site on it. I uploaded an ASP shell and tried to browse to it but
> got a 404. I uploaded it to a directory that had directory listing
> enabled and confirmed the file was there but again browsing to it gave a
> 404.
>
> I uploaded a text file and image and could browse to both of those fine.
>
> I also tried downloading an existing page and modifying that then
> re-uploading it but didn't have permission to overwrite the file.
>
> I vaguely remember something to do with file permissions having to be
> set correctly for ASP to run from years ago when I did some dev work in
> it but can't remember. Can someone tell me what was likely to have been
> going on and if there is any way around it given the access I had?
>
> Robin
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------