Bugtraq mailing list archives
Re: ASP Security Hole (fwd)
From: MarkieV () UWYO EDU (Mark L. VanScoyk)
Date: Thu, 10 Feb 2000 17:20:28 -0700
- In the Altavisa search engine execute a search for +"Microsoft VBScript runtime error" +".inc, "
- Look for search results that include the full path and filename for an include (.inc) file.
- Append the include filename to the host name and call this up in a web browser. Example: www.rodney.com/stationery/browser.inc
If you follow any of the ASP newsgroups, websites, or mailing lists they always recommend one of 2 actions to prevent problems with include files. 1. Associate .inc files with the asp interpreter. 2. Name all of you include files with the .asp extension instead of .inc. There is no reason that the files need and .inc extension. This will insure that if someone finds the name of your include file through an error or even by guessing they will not see anything compromising. In regards to the specific issues above: "Active server pages (ASP) with runtime errors expose a security hole that publishes the full source code name to the caller" This can be prevented at the server level by changing the "Script Error Messages" property in IIS from "Send detailed ASP error messages to client" to Send text error message to client". This property then lets you specify what error message to send. All further errors with simply receive that text message instead of the actual error.
Current thread:
- Re: ASP Security Hole (fwd) Justin King (Feb 10)
- Re: ASP Security Hole (PHP Too) Joshua J. Drake (Feb 15)
- Re: ASP Security Hole (PHP Too) Daniel Austin (Feb 17)
- Re: ASP Security Hole (PHP Too) Alexander Leidinger (Feb 17)
- AIX SNMP Defaults (fwd) Dave G. (Feb 17)
- New Allaire Security Zone Bulletin Aleph One (Feb 17)
- <Possible follow-ups>
- Re: ASP Security Hole (fwd) Mark L. VanScoyk (Feb 10)
- Re: ASP Security Hole (PHP Too) Joshua J. Drake (Feb 15)