[4536] in WWW Security List Archive
FW: Security Hole is ASP Discovered
daemon@ATHENA.MIT.EDU (Greg Haverkamp)
Thu Feb 20 15:53:03 1997
Date: Thu, 20 Feb 1997 12:26:08 -0500
To: www-security@ns2.rutgers.edu
From: Greg Haverkamp <gregh@instinctive.com>
Errors-To: owner-www-security@ns2.rutgers.edu
The concept of quasi-executables in document directories has always seemed
to me a strange aspect of ASP.
One of these days, perhaps Microsoft will begin testing the security of
their products.
Greg
----------
> From: Stephen Genusa <steveg@ONRAMP.NET>
> To: ISAPI@LISTSERV.MSN.COM
> Subject: Security Hole in ASP Discovered
> Date: Thursday, February 20, 1997 10:02 AM
>
> A security hole was found in ASP by Juan T. Llibre
j.llibre@codetel.net.do.
> This hole allows Web clients to download unprocessed ASP files
potentially
> exposing user ids and passwords from products like SQL Server.
>
> To download the unprocessed ASP file one simply has to add a . (period)
to
> the asp url. For example: http://www.mycompany.com/default.asp becomes
> http://www.mycompany.com/default.asp.
>
> There are two known ways to stop this behavior:
>
> 1.Turn read permissions off of the ASP directory in the Internet Service
> Manager. This may not be a practical solution since many sites mix ASP
and
> HTML files.
>
> 2.Download a filter written by Christoph Wille
> Christoph.Wille@unileoben.ac.at.
>
> For a link to the filter see http://www.genusa.com/asp/patch/sechole.html
>
> Stephen
>
> Note: This was cross-posted to the ISAPI list since a) the best solution
is
> ISAPI based and includes source b) There is overlap since IIS is the base
> product most developers are using.
>
> ******************************************************************
> * Stephen Genusa (steveg@onramp.net) SiteBuilder Level 2 *
> * Personal WWW Site : http://users.aol.com/bible2007 *
> * Maintainer MS IIS FAQ : http://www.genusa.com/iis/ *
> * ISAPI Developer's Site : http://www.genusa.com/isapi/ *
> * ASP Developer's Site : http://www.genusa.com/asp/ *
> * ASP Components : http://www.genusa.com/asp/aspcomp.stm *
> * SE Using ISAPI: http://www.mcp.com/que/developer_expert/isapi/ *
> ******************************************************************
