[18234] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Aside: ability to view ASP/ColdFusion code

daemon@ATHENA.MIT.EDU (Manar Hussain)
Thu Jul 2 11:45:45 1998

Date: Thu, 02 Jul 1998 11:48:44 +0100
To: nanog@merit.edu
From: Manar Hussain <manar@ivision.co.uk>

This isn't really a NANOG issue so I'll keep it brief - I'm mentioning it
as it's something people here may well want to consider and pass on to
customers with NT servers.

Another MS security whole allows people to access the code for
ASP/ASA/ColdFusion pages by adding ::$data to the URL.

E.g.

http://www.allaire.com/handlers/index.cfm::$DATA

http://www.watford.co.uk/global.asa::$DATA

http://www.datareturn.com/av-asp.asp::$DATA

I understand that using SiteServer or making the file non-readable (but
retaining execute permissions!) "solves" the problem.

Regards,

Manar

home help back first fref pref prev next nref lref last post