Home page logo
/

basics logo Security Basics mailing list archives

Re: passwords in asp pages
From: Chris Burton <cyberhiker99 () yahoo com>
Date: Tue, 9 Mar 2004 17:53:08 -0800 (PST)

The best practice that I have found here is to leave
it where it is.  I would start to worry if it were
easily accessible via FTP.

You are correct in thinking that the ASP is run on the
server and resulting HTML is sent down to the client
so no one will ever see the password.  

I would also make sure that they aren't using
something like the sa account in SQL Server, or the
system accout in Oracle.

If you were to put it an include file, that's when it
is easier to compromise.  

I would worry more about SQL Injection than this.

Regards,
Chris

---  <ian () kingcon com> wrote:
I am new to security and I have no training in asp
programming, so I am wondering if I am right in
being scared of the following instance...

A IIS based website which has asp pages which
contain plaintext passwords for credentials to an
sql database on another machine.  The passwords are
in between <% %> so I assume that means they are
only processed on the server and the user does not
see them, and there do not seem to be any .inc files
calling these pages.  The server is also up to date
with patches as far as I know.

This situation really bothers me, but I'm not
experienced enough too know how it could be
exploited or whether it could be exploited at all. 
I just don't like the fact that passwords to a db
user are scattered all over the website.  I need
something to make it easy to say to the people
responsible... "Here look this is what can be done
to the website to gather the passwords and destroy
your data.  I don't think it is wise you do this, it
is in your best interests to change this pattern." 
The programmer seemed to just brush it off, when I
said that they could be viewed if their source was
viewed, by telling me that they would be only
processed by the server itself, which still doesn't
make me feel good at all.

Shouldn't the password be encrypted?  Seperated in
their own file?  

Is it correct to assume that an attacker who
elevated their priveledges on the web box could view
these files and gain access too the database that
way through some other method?  

What else can be done by an attacker against asp
pages that would allow this data to be discovered?

Also if I could actually just demonstrate it right
before their eyes that would be a big help.

Thanks for any advice.

Ian
:)



Go to www.missingkids.com

Though the words, opinions, and/or policies
expressed herein are probably right, and most likely
right if you disagree with them, they are the
personal words, opinions, and/or policies of the
person using this account.  They are not, and the
author does not claim they are, the words, opinions,
and/or policies of the company and officers of
Merrill Information Systems Inc., any forum they are
placed in, or any entity other then the author
himself that they may appear to represent.  That
being said, the author probably thinks they should
be the opinion of those bodies, unless he is playing
the devil's advocate.

Send complaints or compliments to the author at:

ianian () 333ki ngc on.com

Taking out all numbers and spaces and the first ian
in the address, because spammers use bots, some
mailing lists block this information from prying
eyes, and people who pay attention can follow
instructions. 




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention
this ad and get $545 off
any course! All of our class sizes are guaranteed to
be 10 students or less
to facilitate one-on-one interaction with one of our
expert instructors.
Attend a course taught by an expert instructor with
years of in-the-field
pen testing experience in our state of the art
hacking lab. Master the skills
of an Ethical Hacker to better assess the security
of your organization.
Visit us at:

http://www.infosecinstitute.com/courses/ethical_hacking_training.html

----------------------------------------------------------------------------



__________________________________
Do you Yahoo!?
Yahoo! Search - Find what youÂ’re looking for faster
http://search.yahoo.com

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]