Security Basics mailing list archives
RE: ASP security in HTML pages
From: "Calderon, Juan Carlos (GE Commercial Finance, NonGE)" <juan.calderon () ge com>
Date: Mon, 28 Jun 2004 11:14:42 -0400
Hello Dinis IMHO this occurred because .Net Framework was not correctly installed, more specific the ISAPI extension, this is a common error when the .NET Framework is intalled after IIS is for example. so IIS shows aspx pages content instead of process it. Regards JC -----Original Message----- From: Dinis Cruz [mailto:dinis () ddplus net] Sent: Sunday, June 27, 2004 12:10 PM To: 'Steve McCullough'; security-basics () securityfocus com; webappsec () securityfocus com Subject: RE: ASP security in HTML pages On the point of IIS 6.0 disclosing source code, I have already experienced in one of my test ISP accounts (with FastHosts.com) a situation where the source code of the Asp.Net pages was being sent directly to the client (i.e. the *.aspx was being handled as a normal webpage). Fasthosts refused to give me more details about the circumstances around the event (like logs, open threads, debug information, etc...) so I was not able to find more information about what caused the problem in the first place. Dinis
-----Original Message----- From: Steve McCullough [mailto:website () showmethesmut com] Sent: 25 June 2004 12:30 To: security-basics () securityfocus com; webappsec () securityfocus com Subject: RE: ASP security in HTML pages Hi all, I'd like to point out that there have been plenty of ways to get IIS to reveal ASP source code. Some examples: http://www.securityfocus.com/bid/2909/info/ http://www.microsoft.com/technet/security/bulletin/MS01-004.mspx http://www.netscreen.com/services/security/di_resource_center/threat_defin it ions.jsp?id=91 As _Hacking Web Applications Exposed_ puts it: "With the track record that IIS has had in the source disclosure department, it's never a good idea to assume that someone won't be able to view your source code" (55). It's sometimes suggested that scripters wrap database connection strings, encryption keys, and other sensitive information in COM objects to keep them private. Are there alternatives? What sorts of strategies do people use to keep their script contents confidential? Steve ----- Steve McCullough Web designerwww.venusenvy.ca www.showmethesmut.com-----Original Message----- From: Harrison Gladden [mailto:linuxguru80 () yahoo com] Sent: Thursday, June 24, 2004 6:51 PM To: Binoni_MARTIN Cc: security-basics () securityfocus com; webappsec () securityfocus com Subject: RE: ASP security in HTML pages The replies still stand. The only way the unprocessed asp page will make it to the client is if there is a "fatal" flaw/misconfiguration of the IIS server. Otherwise all request for the file via the http web server will be processed by the asp dll engine. However if you request the file via ftp or something of the sort then yes you will get the unprocesses code back from the server. ~Harrison --- Binoni_MARTIN <Benoni.MARTIN () libertis ga> wrote:Well, it seems I have not been very shape in my last posting. I know ASP code is executed on the server's side, and not in the client's browser (it will just receive the results of the scriting). But if a client requests "toto.asp", despite of if it will receive the "toto.asp" WITHOUT the ASP scripts, the server has a "full toto.asp" WITH the asp scripts. So my question was: as the server has in his directory this "full toto.asp", is there a way to get the "full toto.asp" from the server?
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: ASP security in HTML pages, (continued)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 23)
- RE: ASP security in HTML pages Auri Rahimzadeh (Jun 25)
- Re: ASP security in HTML pages Matt Fisher (Jun 25)
- RE: ASP security in HTML pages Auri Rahimzadeh (Jun 25)
- RE: ASP security in HTML pages BĂ©noni MARTIN (Jun 24)
- RE: ASP security in HTML pages Harrison Gladden (Jun 25)
- RE: ASP security in HTML pages Steve McCullough (Jun 25)
- RE: ASP security in HTML pages Dinis Cruz (Jun 29)
- RE: ASP security in HTML pages Harrison Gladden (Jun 25)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 23)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 28)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 28)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 28)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 29)
- RE: ASP security in HTML pages Dinis Cruz (Jun 28)