[46] in Best-of-Security
BoS: Re[2]: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP
daemon@ATHENA.MIT.EDU (daragh_malone@TELECOM.IE)
Wed Feb 26 05:16:19 1997
Date: Tue, 25 Feb 1997 17:12:00 GMT
Reply-To: daragh_malone@TELECOM.IE
From: daragh_malone@TELECOM.IE
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
Just modified the registry entry to deal with ".ASP." files. However,
this doesn't protect against ".ASP.." or ".ASP...", etc. You'd have to add a
number of entries, up to the MAXLENGTH of the URL, if there is one, for each
server script.
Best bet is a separate folder as mentioned below.
______________________________ Reply Separator _________________________________
Subject: Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP
Author: Mitja Kolsek <mitja.kolsek@IJS.SI> at csgnet
Date: 25/02/97 16:44
I suppose there's a simpler solution for those who want to protect their
asp, .idc & .htx files that are so well mixed among regular .htm files.
In your registry, under IIS ScriptMapping
(HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/W3SVC/Parameters/Scrip
tMapping)
(could be this is not _quite_ exact, but you'll find it)
Create a string value named ".ASP." (note the ending dot) and copy its data
from ".ASP" value already present in this registry key if you're running
IIS 3.0. This successfully renders the 'dot attack' ineffective. Apply this
procedure to all script extensions.
Nevertheless I suggest moving all script files to a separate folder, so use
this technique only as a temporary measure. There will soon be another
security hole in the wild so it's better to be prepared.
