[13880] in bugtraq
Re: ASP Security Hole (PHP Too)
daemon@ATHENA.MIT.EDU (Joshua J. Drake)
Thu Feb 17 06:09:14 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20000215224543.E7C7DB812@fear.qoop.org>
Date: Tue, 15 Feb 2000 16:45:43 -0600
Reply-To: "Joshua J. Drake" <jdrake@QOOP.ORG>
From: "Joshua J. Drake" <jdrake@QOOP.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <81D7AF647CE8D211A53A00805F9FACFB50D68C@WATERTOWER> from "Justin
King" at Feb 10, 2000 03:47:36 PM
The following is also true for PHP. Naming PHP include files .inc gives
anyone full-read access to the files by simply requesting them by name.
The solution of course is to do one of the following:
a. name php include files with a PHP extension (.php, .php3, etc) that is
associated with PHP parsing them
b. associate .inc files with PHP so that they are parsed and not displayed
> It has been preached by the ASP industry professionals for as long as I've
> been in it, that ALL included files MUST have a ".asp" extension and that
> ASP debugging should be disabled on all production servers in order to keep
> all code out of evil hands.
>
> The problem here is 100% between the chair and the keyboard.
>
> -----Original Message-----
> From: bgreenbaum@SECURITYFOCUS.COM [mailto:bgreenbaum@SECURITYFOCUS.COM]
> Sent: Wednesday, February 09, 2000 7:22 PM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: ASP Security Hole (fwd)
>
> Forwarded with permission of the author. Please direct all replies to
> jwalsh@jwsg.com.
>
> Ben Greenbaum
> Director of Site Content
> Security Focus
> http://www.securityfocus.com
>
> ---------- Forwarded message ----------
> Description:
> ============
> Active server pages (ASP) with runtime errors
> expose a security hole that publishes
> the full source code name to the caller.
> If these scripts are published on the
> internet before they are debugged by
> the programmer, the major search
> engines index them. These indexed
> ASP pages can be then located with a
> simple search. The search results publish
> the full path and file name for the ASP
> scripts. This URL can be viewed in a browser
> and may reveal full source code with
> details of business logic, database location
> and structure.
>
> Procedure:
> ==========
> - In the Altavisa search engine execute a search for
> +"Microsoft VBScript runtime error" +".inc, "
>
> - Look for search results that include the full
> path and filename for an include (.inc) file.
>
> - Append the include filename to the host name
> and call this up in a web browser.
> Example: www.rodney.com/stationery/browser.inc
>
> Examples:
> =========
> http://shopping.altavista.com/inc/lib/prep.lib
> Exposes database connections and properties, resource locations,
> cookie logic, server IP addresses, business logic
>
> http://www.justshop.com/SFLib/ship.inc
> Exposes database properties, business logic
>
> http://www.bbclub.com:8013/includes/general.inc
> Exposes cobranding business logic
>
> http://www.salest.com/corporate/admin/include/jobs.inc
> Exposes datafile locations and structure
>
> http://www.bjsbabes.com/SFLib/design.inc
> Exposes source code for StoreFront 2000 including
> database structure
>
> http://www.ffg.com/scripts/IsSearchEngine.inc
> Exposes search engine log
>
> http://www.wcastl.com/include/functions.inc
> Exposes members email addresses and
> private comments file http://www.wcastl.com/flat/comments.txt
>
> http://www.traveler.net/two/cookies.inc
> Exposes cookie logic
>
> Resolution:
> ===========
>
> - Search engines should not index pages that
> have ASP runtime errors.
>
> - Programmers should fully debug their ASP
> scripts before publishing them on the web
>
> - Security administrators need to secure
> the ASP include files so that external users
> can not view them.
>
>
>
>
> ===========================
> Jerry Walsh
> JW's Software Gems
> Email jwalsh@jwsg.com
> Phone (949) 855-0233
> Website http://www.jwsg.com
> ===========================
>
