Home page logo

webappsec logo WebApp Sec mailing list archives

RE: ASP security in HTML pages
From: "Dinis Cruz" <dinis () ddplus net>
Date: Mon, 28 Jun 2004 21:50:43 +0100

It wasn't misconfiguration since the Website was working perfectly before
that (for several months).

My opinion (since FastHosts didn't give me access to the logs) is that the
.Net framework somehow got corrupted.

Comments from FastHost's support staff (in March 2004): 

"...The .Net Framework appeared to have become corrupted on the domain,
after reinstalling the framework via the control panel, this resolved the
issue. We can't guarantee this won't happen again and sadly it's not
possible for me to find out the exact reason as to why this occured, however
this is a very rare occurance and it is extremely unlikely the issue will


"... Personally, I have only seen this issue occur once in the past 8
months. In what respect do you require logs? You can see the standard
logfiles for your site within the 'logfiles' folder on the domain's FTP,
however no other logs are available. ..."

I haven't had time to further investigate this since it would be very useful
to understand the cause of the problem (although FastHosts have already seen
this problem at least twice).


-----Original Message-----
From: Calderon, Juan Carlos (GE Commercial Finance, NonGE)
[mailto:juan.calderon () ge com]
Sent: 28 June 2004 15:15
To: Dinis Cruz; Steve McCullough; security-basics () securityfocus com;
webappsec () securityfocus com
Subject: RE: ASP security in HTML pages

Hello Dinis

IMHO this occurred because .Net Framework was not correctly installed,
more specific the ISAPI extension, this is a common error when the .NET
Framework is intalled after IIS is for example. so IIS shows aspx pages
content instead of process it.


-----Original Message-----
From: Dinis Cruz [mailto:dinis () ddplus net]
Sent: Sunday, June 27, 2004 12:10 PM
To: 'Steve McCullough'; security-basics () securityfocus com;
webappsec () securityfocus com
Subject: RE: ASP security in HTML pages

On the point of IIS 6.0 disclosing source code, I have already experienced
in one of my test ISP accounts (with FastHosts.com) a situation where the
source code of the Asp.Net pages was being sent directly to the client
the *.aspx was being handled as a normal webpage).

Fasthosts refused to give me more details about the circumstances around
event (like logs, open threads, debug information, etc...) so I was not
to find more information about what caused the problem in the first place.


-----Original Message-----
From: Steve McCullough [mailto:website () showmethesmut com]
Sent: 25 June 2004 12:30
To: security-basics () securityfocus com; webappsec () securityfocus com
Subject: RE: ASP security in HTML pages

Hi all,

I'd like to point out that there have been plenty of ways to get IIS to
reveal ASP source code. Some examples:


As _Hacking Web Applications Exposed_ puts it: "With the track record
IIS has had in the source disclosure department, it's never a good idea
assume that someone won't be able to view your source code" (55).

It's sometimes suggested that scripters wrap database connection
encryption keys, and other sensitive information in COM objects to keep
private. Are there alternatives? What sorts of strategies do people use
keep their script contents confidential?


Steve McCullough
Web designer

-----Original Message-----
From: Harrison Gladden [mailto:linuxguru80 () yahoo com]
Sent: Thursday, June 24, 2004 6:51 PM
To: Binoni_MARTIN
Cc: security-basics () securityfocus com; webappsec () securityfocus com
Subject: RE: ASP security in HTML pages

The replies still stand.  The only way the unprocessed
asp page will make it to the client is if there is a
"fatal" flaw/misconfiguration of the IIS server.
Otherwise all request for the file via the http web
server will be processed by the asp dll engine.
However if you request the file via ftp or something
of the sort then yes you will get the unprocesses code
back from the server.

--- Binoni_MARTIN <Benoni.MARTIN () libertis ga> wrote:
Well, it seems I have not been very shape in my last
posting. I know ASP code is executed on the server's
side, and not in the client's browser (it will just
receive the results of the scriting).

But if a client requests "toto.asp", despite of if
it will receive the "toto.asp" WITHOUT the ASP
scripts, the server has a "full toto.asp" WITH the
asp scripts. So my question was: as the server has
in his directory this "full toto.asp", is there a
way to get the "full toto.asp" from the server?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]