WebApp Sec mailing list archives
Patching IIS (was - RE: ASP security in HTML pages)
From: "Wolf, Yonah" <Yonah.Wolf () ujc org>
Date: Mon, 28 Jun 2004 14:25:41 -0400
All,
I seems that a lot of these responses are pointing out age-old flaws in ASP - stuff that was around 3-4 years ago. If
someone were to properly configure and/or patch their server (say, by running the IIS lockdown tool) they would not be
exposed to these vulnerabilities. In light of that I just wanted to point out several things:
- It's not the holes you close, but the ones you need to keep open that you need to worry about (hence the need
for web app security)
- I understand if someone gets taken by a new flaw when it first comes out, but it is a sorry state of affairs
when ASP flaws from 3 years ago are still being exploited - I just can't understand why well-known security patches
aren't being applied!?!?
- Steps to protect your source code, especially if that code is contained in scripts, is like the false
security of a life preserver in shark-infested waters - it will help you, but to a point.
Current thread:
- Patching IIS (was - RE: ASP security in HTML pages) Wolf, Yonah (Jun 28)
