Bugtraq mailing list archives

Re: More potential ASP problems

From: paul () ARGO DEMON CO UK (Paul Ashton)
Date: Mon, 6 Jul 1998 23:58:11 +0200


f.c.w.donck () SIEP SHELL COM said:

Apart from the http://www.domain.com/xxxx.asp::$DATA in ASP applications
there may also a http://www.domain.com/global.asa which may contain session
variables and user-id/password combinations for entering databases and the
like.


microsoft did list .asa files as one of several that needed to be
protected. I've also downloaded .dll, .exe, and .cfm files. I'm sure
there are many others. It is nothing to do with ASP applications,
just the fact that content handlers don't understand the type of any
particular file which doesn't have the correct .XXX extension.

http://www.scripting.com has some amusing anecdotes of credit card
database passwords and a frequent flier database password being
recovered.

Paul

Current thread:

More potential ASP problems Fred Donck (Jul 03)
- Re: More potential ASP problems Paul Ashton (Jul 06)
- <Possible follow-ups>
- Re: More potential ASP problems Michael Howard (Jul 06)