Penetration Testing mailing list archives
Re: [PEN-TEST] HTML source code and authentication
From: c0ncept <c0ncept () 403-SECURITY ORG>
Date: Mon, 18 Dec 2000 12:18:07 -0800
It looks like your ibank.dll is an ISAPI extension (consult msdn.microsoft.com, CHttpServer). The name of the extension appearing in the source should not be an issue, any more than the name of a cgi or perl script. If the scripts directory is vulnerable to the unicode vulnerability, however, the DLL could be downloaded. It could have a DSN hardcoded into it or the filename of an external DSN containing the location and password of the database containing the database with your membership information. If you _do_ wish to obscure this information, you could rewrite ibank.dll as an ISAPI Filter, in which case it would be loaded by IIS and handle files based on their extensions, rather than explicitly mentioning the file name in the code. --c0ncept -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Skinner, Tim L. Sent: Monday, December 18, 2000 11:13 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] HTML source code and authentication Hi all, I must first appologize about my general ignorance of HTML, but I've been asked to look into this. I have a question regarding the source code of a web page that authenticates users. The snipit of source code from the web page in question is as follows: #<H2><font color=9771824>Member Sign On</font></H2> #<form name="signon" action="/scripts/ibank.dll" method=post> #<INPUT TYPE ="HIDDEN" NAME=Func VALUE="SignOn"> #<INPUT TYPE=HIDDEN NAME=Frames VALUE="150"> #<INPUT TYPE ="HIDDEN" NAME=homepath VALUE="cu3"> It leaves me wondering if the referenced ibank.dll file is some authentication program of some sort and if the availability of this information simply by clicking on 'view source' is a potential problem. Furthermore, is there a way to obscure this information if it is risk?
Current thread:
- [PEN-TEST] HTML source code and authentication Skinner, Tim L. (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Bennett Todd (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication c0ncept (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication NetW3.COM Consulting (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] HTML source code and authentication Adams, Gavin (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Yonatan Bokovza (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Chris Tobkin (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Martijn Prummel (Dec 19)