WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Prevent security bypass

From: "sunzi" <sunzi () mod-x co uk>
Date: Fri, 7 Feb 2003 20:18:40 -0500
IMHO the answer is quite simple ....

CAVEAT: 'converting' from HTML to ASP doesn't necessarily mean changing
<p>text</p> to response.write("<p>text</p>").

convert (rename each 'html' page) to ASP and use a standard include file
<!-- #include virtual="/scripts/secure.inc" --> which provides the
authenticaiton routine.

I know I'm going to catch sh!t here cause I used .inc, but you can easily
mitigate this by turning off read access in IIS to directories that only
hold files included by other files (such as /scripts/)

hth,
sunzi

----- Original Message -----
From: "Chris Neil" <Chris.Neil () abs-ltd com>
To: <webappsec () securityfocus com>
Sent: Tuesday, February 04, 2003 11:59 AM
Subject: Prevent security bypass



I am new to this mailing list and so hope this conforms to the guidelines

as

I read them.

How do people address the issue of non-authenticated users requesting html
pages directly from a site without logging in?

FYI. This is an IIS server. Our asp pages check the user is logged in, but
with html pages we cannot.
My only idea so far is to convert all our html pages to asp. Is there
anything less drastic?


Chris Neil
  Security Officer
  Chris.Neil () abs-ltd com
-------------------------------------------
ABS
  Tel:     +44 (0) 1993 771221
  Fax:    +44 (0) 1993 775081
-------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: