WebApp Sec mailing list archives
Re: Prevent security bypass
From: Scott Mulcahy <scottcm () usa net>
Date: Wed, 12 Feb 2003 09:22:00 -0600
Another simple solution that has less impact to current applications is to associate the .INC extension with asp.dll. You can do this by going to Properties of the web site, selecting the Home Directory tab, under Application Settings click the Configuration button. The first tab is App Mappings. You'll need to Add a new mapping. I'd suggest using All Verbs. This has the same impact as using .ASP for include files but allows developers to use the more intuitive .INC extension. It also prevents having to go back through all your code to replace .INC with .ASP. Good luck, Scott -----Original Message----- From: Ernie Nelson [mailto:Juridian () juridian com] Sent: Friday, February 07, 2003 7:48 PM To: webappsec () securityfocus com Subject: Re: Prevent security bypass A simpler method that requires less work is to simply name your include with the .asp extension. If you feel the need to mark it as an include prefixing the filename with inc_ (such as inc_secure.asp). That way even if the directories aren't configured right, the code is stripped out and harmless.
I know I'm going to catch sh!t here cause I used .inc, but you can easily mitigate this by turning off read access in IIS to directories that only hold files included by other files (such as /scripts/)
Current thread:
- Re: Prevent security bypass, (continued)
- Re: Prevent security bypass Chris Travers (Feb 05)
- RE: Prevent security bypass Logan F.D. Greenlee (Feb 05)
- RE: Prevent security bypass Kim Christiansen (Feb 05)
- RE: Prevent security bypass Mark Mcdonald (Feb 05)
- Re[2]: Prevent security bypass M. Austin Hill (Feb 05)
- RE: Prevent security bypass TUER, DON (Feb 06)
- Re: Prevent security bypass Alex Russell (Feb 06)
- Re: Prevent security bypass Adrian Wiesmann (Feb 06)
- Re: Prevent security bypass Chris Travers (Feb 07)