Home page logo
/

webappsec logo WebApp Sec mailing list archives

RE: Global.asa security under IIS 6.0
From: "dinis () ddplus net" <dinis () ddplus net>
Date: Wed, 09 Jun 2004 09:36:24 -0700 (PDT)

Of course that if you are hosting your website in a
shared hosting environment and the Hoster allows Full
Trust Asp.Net (or support FPSE 2002 without proper
security configuration), then your Global.Asa or
Web.Config can be easily read by a malicious user with
access to a valid account in that server.

Dinis

On Wed, 9 Jun 2004 10:20:45 -0400, "Don Tuer" wrote


Basically IIS will not return global.asa (and other
configuration files)
for any reason to a request. The only way to access
this file is exploit
known or unknown vulnerabilities in IIS. This implies
that you must keep
IIS patched. For .NET Microsoft has made many
improvements in security
including allowing you to encrypt passwords in the
configuration files
(ie web.config).

Thanks
Don 

-----Original Message-----
From: Bénoni MARTIN
[mailto:Benoni.MARTIN () libertis ga] 
Sent: Tuesday, June 08, 2004 4:18 AM
To: webappsec () securityfocus com;
pen-test () securityfocus com
Subject: Global.asa security under IIS 6.0

Hi list !

I am wondering about how much secure is the
"global.asa" file in ASP. It
= seems that we can gather there most of the
parameters
used with our
ASP = pages, but it can be also a weakness if a
malicious guy gets
access to = it !


So anyone one knows how secure is it to use
global.asa,
how can we get =
it from a website (IIS refuses access to it with an =
http://blahblahblah.com/global.asa)...and how can we
avoid people =
stealing if ?


Thanks in advance!

----------------------------------------
Scanned by Emailfiltering.co.uk


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault