RE: Global.asa security under IIS 6.0

["dinis () ddplus net" <dinis () ddplus net>]

Of course that if you are hosting your website in a
shared hosting environment and the Hoster allows Full
Trust Asp.Net (or support FPSE 2002 without proper
security configuration), then your Global.Asa or
Web.Config can be easily read by a malicious user with
access to a valid account in that server.

Dinis

On Wed, 9 Jun 2004 10:20:45 -0400, "Don Tuer" wrote

> Basically IIS will not return global.asa (and other
> configuration files)
> for any reason to a request. The only way to access
> this file is exploit
> known or unknown vulnerabilities in IIS. This implies
> that you must keep
> IIS patched. For .NET Microsoft has made many
> improvements in security
> including allowing you to encrypt passwords in the
> configuration files
> (ie web.config).
>
> Thanks
> Don 
>
> -----Original Message-----
> From: Bénoni MARTIN
[mailto:Benoni.MARTIN () libertis ga] 
> Sent: Tuesday, June 08, 2004 4:18 AM
> To: webappsec () securityfocus com;
> pen-test () securityfocus com
> Subject: Global.asa security under IIS 6.0
>
> Hi list !
>
> I am wondering about how much secure is the
> "global.asa" file in ASP. It
> = seems that we can gather there most of the
parameters
> used with our
> ASP = pages, but it can be also a weakness if a
> malicious guy gets
> access to = it !
>
>
> So anyone one knows how secure is it to use
global.asa,
> how can we get =
> it from a website (IIS refuses access to it with an =
> http://blahblahblah.com/global.asa)...and how can we
> avoid people =
> stealing if ?
>
>
> Thanks in advance!

----------------------------------------
Scanned by Emailfiltering.co.uk