Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: ASP security in HTML pages
From: Dominic Cleal <domnews () computerkb co uk>
Date: Tue, 29 Jun 2004 07:38:59 +0100

On Mon, 28 Jun 2004 11:22:11 -0400
"Calderon, Juan Carlos (GE Commercial Finance, NonGE)"
<juan.calderon () ge com> wrote:

Hi!

From my point of view the easiest way is to use the "frendly" pages to
show code like ShowCode.asp page at IIS samples.

(Background)
http://support.microsoft.com/default.aspx?scid=kb;en-us;232449

(Exploit)
http://www.atstake.com/research/advisories/1999/showcode.txt

(Both)
http://www.securityfocus.com/infocus/1317

Cheers
JC

If he's paranoid about the system config and fears that his sysadmin might accidently mis-configure the server then he 
might be able to use a ShowCode.asp like system to retrieve and show pages.

Depending on his level of paranoia, he could use the same code as ShowCode.asp but with heavy checking to ensure that 
nobody uses that exploit, but he'd have to be extremely sure or stupid in case there are other ways to exploit it.

He could otherwise make an index page, which takes a passed variable (page=home, page=sales etc) and a select case 
inside the script - each case has an include to a file outside the web serving path.  Then if the script gets sent out, 
all they see is a select case with a load of includes - they'd know where the files were stored, but as they're outside 
the serving directory, as long as there no more exploits, they're safe.

If he's got loads of pages, he could do a similar thing by replacing each page with a page that just has an include to 
the actual code (stored outside the serving directory again).  The maintenace might not be fun, but it all depends on 
how much he trusts his sysadmin!

-- 
Dominic Cleal
dominic () computerkb co uk


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]