Home page logo
/

basics logo Security Basics mailing list archives

RE: passwords in asp pages
From: "Michael Dunn" <MDunn () sscincorporated com>
Date: Wed, 10 Mar 2004 13:21:10 -0500

I'd like to add my experience here too:

An old vulnerability in IIS was that a specially crafted URL would return the script of an ASP page instead of 
executing it. Granted, it's an old flaw that's been fixed.

That being said - I never place database credentials in the script behind an ASP pages - instead, I configure the ODBC 
data source with the login credentials.  My thinking is that, if the machine is compromised, it really doesn't how I do 
it, the credentials are compromised  - but doing it outside of the ASP script at least prevents an IIS server bug from 
displaying the password.  

(And don't put your database server on a publicly accessible node!)

Regards,

-Mike



-----Original Message-----
From: Michael Gale [mailto:michael () bluesuperman com]
Sent: Tuesday, March 09, 2004 10:19 PM
To: security-basics () securityfocus com
Subject: Re: passwords in asp pages


Hello,

        I believe a hacker would have to compromise the box in order to see the
passwords, unless it is printed to the client via a web page or http
eviro variable. 

Is the site available via http or https ? If it is http then a sniffer
will show the passwords, it should be HTTPS.

Michael.



On Tue, 9 Mar 2004 09:00:11 -0500
"" <ian () kingcon com> wrote:

I am new to security and I have no training in asp programming, so I
am wondering if I am right in being scared of the following
instance...

A IIS based website which has asp pages which contain plaintext
passwords for credentials to an sql database on another machine.  The
passwords are in between <% %> so I assume that means they are only
processed on the server and the user does not see them, and there do
not seem to be any .inc files calling these pages.  The server is also
up to date with patches as far as I know.

This situation really bothers me, but I'm not experienced enough too
know how it could be exploited or whether it could be exploited at
all.  I just don't like the fact that passwords to a db user are
scattered all over the website.  I need something to make it easy to
say to the people responsible... "Here look this is what can be done
to the website to gather the passwords and destroy your data.  I don't
think it is wise you do this, it is in your best interests to change
this pattern."  The programmer seemed to just brush it off, when I
said that they could be viewed if their source was viewed, by telling
me that they would be only processed by the server itself, which still
doesn't make me feel good at all.

Shouldn't the password be encrypted?  Seperated in their own file?  

Is it correct to assume that an attacker who elevated their
priveledges on the web box could view these files and gain access too
the database that way through some other method?  

What else can be done by an attacker against asp pages that would
allow this data to be discovered?

Also if I could actually just demonstrate it right before their eyes
that would be a big help.

Thanks for any advice.

Ian
:)



Go to www.missingkids.com

Though the words, opinions, and/or policies expressed herein are
probably right, and most likely right if you disagree with them, they
are the personal words, opinions, and/or policies of the person using
this account.  They are not, and the author does not claim they are,
the words, opinions, and/or policies of the company and officers of
Merrill Information Systems Inc., any forum they are placed in, or any
entity other then the author himself that they may appear to
represent.  That being said, the author probably thinks they should be
the opinion of those bodies, unless he is playing the devil's
advocate.

Send complaints or compliments to the author at:

ianian () 333ki ngc on.com

Taking out all numbers and spaces and the first ian in the address,
because spammers use bots, some mailing lists block this information
from prying eyes, and people who pay attention can follow
instructions. 



---------------------------------------------------------------------
------ Ethical Hacking at the InfoSec Institute. Mention this ad and
get $545 off any course! All of our class sizes are guaranteed to be
10 students or less to facilitate one-on-one interaction with one of
our expert instructors. Attend a course taught by an expert instructor
with years of in-the-field pen testing experience in our state of the
art hacking lab. Master the skills of an Ethical Hacker to better
assess the security of your organization. Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
---------------------------------------------------------------------
-------



-- 
Hand over the Slackware CD's and back AWAY from the computer, your geek
rights have been revoked !!!

Michael Gale
Slackware user :)
Bluesuperman.com 

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]