WebApp Sec mailing list archives
Re: Prevent security bypass
From: "sunzi" <sunzi () mod-x co uk>
Date: Fri, 7 Feb 2003 20:18:40 -0500
IMHO the answer is quite simple .... CAVEAT: 'converting' from HTML to ASP doesn't necessarily mean changing <p>text</p> to response.write("<p>text</p>"). convert (rename each 'html' page) to ASP and use a standard include file <!-- #include virtual="/scripts/secure.inc" --> which provides the authenticaiton routine. I know I'm going to catch sh!t here cause I used .inc, but you can easily mitigate this by turning off read access in IIS to directories that only hold files included by other files (such as /scripts/) hth, sunzi ----- Original Message ----- From: "Chris Neil" <Chris.Neil () abs-ltd com> To: <webappsec () securityfocus com> Sent: Tuesday, February 04, 2003 11:59 AM Subject: Prevent security bypass
I am new to this mailing list and so hope this conforms to the guidelines
as
I read them. How do people address the issue of non-authenticated users requesting html pages directly from a site without logging in? FYI. This is an IIS server. Our asp pages check the user is logged in, but with html pages we cannot. My only idea so far is to convert all our html pages to asp. Is there anything less drastic? Chris Neil Security Officer Chris.Neil () abs-ltd com ------------------------------------------- ABS Tel: +44 (0) 1993 771221 Fax: +44 (0) 1993 775081 -------------------------------------------
Current thread:
- Re: Prevent security bypass, (continued)
- Re: Prevent security bypass Igor Guarisma (Feb 05)
- RE: Prevent security bypass Adam (Feb 05)
- Re: Prevent security bypass Chris Travers (Feb 06)
- RE: Prevent security bypass Adam (Feb 06)
- RE: Prevent security bypass Larry Seltzer (Feb 06)
- Re: Prevent security bypass Chris Travers (Feb 06)
- Re: Prevent security bypass Chris Travers (Feb 06)
- Re: Prevent security bypass Ulrich P. (Feb 05)
- Re: Prevent security bypass Chris Travers (Feb 04)
- Re: Prevent security bypass c3rb3r (Feb 04)
- Re: Prevent security bypass Adrian Wiesmann (Feb 04)
- Re: Prevent security bypass sunzi (Feb 07)
- Re: Prevent security bypass Ernie Nelson (Feb 07)
- HTTP Header and POST Data Exploitation Rahul Chander Kashyap (Feb 08)
- RE: HTTP Header and POST Data Exploitation Indian Tiger (Feb 09)
- Re: Prevent security bypass Ernie Nelson (Feb 07)
- RE: Prevent security bypass Vinny Bedus (Feb 05)
- Re: Prevent security bypass Chris Travers (Feb 05)