mailing list archives
Re: ASP security in HTML pages
From: Dominic Cleal <domnews () computerkb co uk>
Date: Tue, 29 Jun 2004 07:38:59 +0100
On Mon, 28 Jun 2004 11:22:11 -0400
"Calderon, Juan Carlos (GE Commercial Finance, NonGE)"
<juan.calderon () ge com> wrote:
From my point of view the easiest way is to use the "frendly" pages to
show code like ShowCode.asp page at IIS samples.
If he's paranoid about the system config and fears that his sysadmin might accidently mis-configure the server then he
might be able to use a ShowCode.asp like system to retrieve and show pages.
Depending on his level of paranoia, he could use the same code as ShowCode.asp but with heavy checking to ensure that
nobody uses that exploit, but he'd have to be extremely sure or stupid in case there are other ways to exploit it.
He could otherwise make an index page, which takes a passed variable (page=home, page=sales etc) and a select case
inside the script - each case has an include to a file outside the web serving path. Then if the script gets sent out,
all they see is a select case with a load of includes - they'd know where the files were stored, but as they're outside
the serving directory, as long as there no more exploits, they're safe.
If he's got loads of pages, he could do a similar thing by replacing each page with a page that just has an include to
the actual code (stored outside the serving directory again). The maintenace might not be fun, but it all depends on
how much he trusts his sysadmin!
dominic () computerkb co uk