WebApp Sec mailing list archives
RE: Global.asa security under IIS 6.0
From: "dinis () ddplus net" <dinis () ddplus net>
Date: Wed, 09 Jun 2004 09:36:24 -0700 (PDT)
Of course that if you are hosting your website in a shared hosting environment and the Hoster allows Full Trust Asp.Net (or support FPSE 2002 without proper security configuration), then your Global.Asa or Web.Config can be easily read by a malicious user with access to a valid account in that server. Dinis On Wed, 9 Jun 2004 10:20:45 -0400, "Don Tuer" wrote
Basically IIS will not return global.asa (and other configuration files) for any reason to a request. The only way to access this file is exploit known or unknown vulnerabilities in IIS. This implies that you must keep IIS patched. For .NET Microsoft has made many improvements in security including allowing you to encrypt passwords in the configuration files (ie web.config). Thanks Don -----Original Message----- From: Bénoni MARTIN
[mailto:Benoni.MARTIN () libertis ga]
Sent: Tuesday, June 08, 2004 4:18 AM To: webappsec () securityfocus com; pen-test () securityfocus com Subject: Global.asa security under IIS 6.0 Hi list ! I am wondering about how much secure is the "global.asa" file in ASP. It = seems that we can gather there most of the
parameters
used with our ASP = pages, but it can be also a weakness if a malicious guy gets access to = it ! So anyone one knows how secure is it to use
global.asa,
how can we get = it from a website (IIS refuses access to it with an = http://blahblahblah.com/global.asa)...and how can we avoid people = stealing if ? Thanks in advance!
---------------------------------------- Scanned by Emailfiltering.co.uk
Current thread:
- Global.asa security under IIS 6.0 Bénoni MARTIN (Jun 08)
- Re: Global.asa security under IIS 6.0 saphyr (Jun 09)
- Re: Global.asa security under IIS 6.0 gcb33 (Jun 20)
- RE: Global.asa security under IIS 6.0 Don Tuer (Jun 09)
- RE: Global.asa security under IIS 6.0 Sasha Biskup (Jun 09)
- <Possible follow-ups>
- RE: Global.asa security under IIS 6.0 dinis () ddplus net (Jun 10)
- RE: Global.asa security under IIS 6.0 Michael Howard (Jun 10)
- Re: Global.asa security under IIS 6.0 Matt Fisher (Jun 09)
- Re: Global.asa security under IIS 6.0 saphyr (Jun 09)