Re: ASP security in HTML pages

[Dominic Cleal <domnews () computerkb co uk>]

On Mon, 28 Jun 2004 11:22:11 -0400
"Calderon, Juan Carlos (GE Commercial Finance, NonGE)"
<juan.calderon () ge com> wrote:

> Hi!
>
> From my point of view the easiest way is to use the "frendly" pages to
> show code like ShowCode.asp page at IIS samples.
>
> (Background)
> http://support.microsoft.com/default.aspx?scid=kb;en-us;232449
>
> (Exploit)
> http://www.atstake.com/research/advisories/1999/showcode.txt
>
> (Both)
> http://www.securityfocus.com/infocus/1317
>
> Cheers
> JC

If he's paranoid about the system config and fears that his sysadmin might accidently mis-configure the server then he 
might be able to use a ShowCode.asp like system to retrieve and show pages.

Depending on his level of paranoia, he could use the same code as ShowCode.asp but with heavy checking to ensure that 
nobody uses that exploit, but he'd have to be extremely sure or stupid in case there are other ways to exploit it.

He could otherwise make an index page, which takes a passed variable (page=home, page=sales etc) and a select case 
inside the script - each case has an include to a file outside the web serving path.  Then if the script gets sent out, 
all they see is a select case with a load of includes - they'd know where the files were stored, but as they're outside 
the serving directory, as long as there no more exploits, they're safe.

If he's got loads of pages, he could do a similar thing by replacing each page with a page that just has an include to 
the actual code (stored outside the serving directory again).  The maintenace might not be fun, but it all depends on 
how much he trusts his sysadmin!

-- 
Dominic Cleal
dominic () computerkb co uk