Home page logo

webappsec logo WebApp Sec mailing list archives

Patching IIS (was - RE: ASP security in HTML pages)
From: "Wolf, Yonah" <Yonah.Wolf () ujc org>
Date: Mon, 28 Jun 2004 14:25:41 -0400


 I seems that a lot of these responses are pointing out age-old flaws in ASP - stuff that was around 3-4 years ago. If 
someone were to properly configure and/or patch their server (say, by running the IIS lockdown tool) they would not be 
exposed to these vulnerabilities. In light of that I just wanted to point out several things:

        - It's not the holes you close, but the ones you need to keep open that you need to worry about (hence the need 
for web app security)

        - I understand if someone gets taken by a new flaw when it first comes out, but it is a sorry state of affairs 
when ASP flaws from 3 years ago are still being exploited - I just can't understand why well-known security patches 
aren't being applied!?!?

        - Steps to protect your source code, especially if that code is contained in scripts, is like the false 
security of a life preserver in shark-infested waters - it will help you, but to a point.

  By Date           By Thread  

Current thread:
  • Patching IIS (was - RE: ASP security in HTML pages) Wolf, Yonah (Jun 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]