Re: Prevent security bypass

[Scott Mulcahy <scottcm () usa net>]

Another simple solution that has less impact to current applications is to
associate the .INC extension with asp.dll.  You can do this by going to
Properties of the web site, selecting the Home Directory tab, under
Application Settings click the Configuration button.  The first tab is App
Mappings.  You'll need to Add a new mapping.  I'd suggest using All Verbs.

This has the same impact as using .ASP for include files but allows developers
to use the more intuitive .INC extension.  It also prevents having to go back
through all your code to replace .INC with .ASP.

Good luck,
Scott

-----Original Message-----
From: Ernie Nelson [mailto:Juridian () juridian com]
Sent: Friday, February 07, 2003 7:48 PM
To: webappsec () securityfocus com
Subject: Re: Prevent security bypass


A simpler method that requires less work is to simply name your include with
the .asp extension. If you feel the need to mark it as an include prefixing
the filename with inc_ (such as inc_secure.asp). That way even if the
directories aren't configured right, the code is stripped out and harmless.


> I know I'm going to catch sh!t here cause I used .inc, but you can easily
> mitigate this by turning off read access in IIS to directories that only
> hold files included by other files (such as /scripts/)