On Mon, 28 Jun 2004 11:22:11 -0400
"Calderon, Juan Carlos (GE Commercial Finance, NonGE)"
<juan.calderon_at_ge.com> wrote:
> Hi!
>
> From my point of view the easiest way is to use the "frendly" pages to
> show code like ShowCode.asp page at IIS samples.
>
> (Background)
> http://support.microsoft.com/default.aspx?scid=kb;en-us;232449
>
> (Exploit)
> http://www.atstake.com/research/advisories/1999/showcode.txt
>
> (Both)
> http://www.securityfocus.com/infocus/1317
>
> Cheers
> JC
If he's paranoid about the system config and fears that his sysadmin might accidently mis-configure the server then he might be able to use a ShowCode.asp like system to retrieve and show pages.
Depending on his level of paranoia, he could use the same code as ShowCode.asp but with heavy checking to ensure that nobody uses that exploit, but he'd have to be extremely sure or stupid in case there are other ways to exploit it.
He could otherwise make an index page, which takes a passed variable (page=home, page=sales etc) and a select case inside the script - each case has an include to a file outside the web serving path. Then if the script gets sent out, all they see is a select case with a load of includes - they'd know where the files were stored, but as they're outside the serving directory, as long as there no more exploits, they're safe.
If he's got loads of pages, he could do a similar thing by replacing each page with a page that just has an include to the actual code (stored outside the serving directory again). The maintenace might not be fun, but it all depends on how much he trusts his sysadmin!
--
Dominic Cleal
dominic_at_computerkb.co.uk
Received on Jun 29 2004
Intro
