[thelist] [ASP security] source code, Indexserver
Joe Crawford
joe at artlung.com
Wed Apr 5 05:18:06 2000
Wolfgang Bromberger wrote:
> I can not judge if it is an April joke,
> maybe someone else can look at it and
> tell if it is true.
> Thanks,
> .wolf
> http://www.4guysfromrolla.com/webtech/040100-2.shtml
> This should be the patch I read on another list:
http://www.microsoft.com/downloads/release.asp?ReleaseID=19002
RedStar wrote:
> It's no April joke. It's a very serious security bug. You can even try
> it on most asp based sites and you'll find that only a very small
> percentage don't suffer from it.
> I have a strange feeling that people that use IIS don't really care
> about these kind of things, at least it's not too hard to still find asp
> based sites that suffer from the older ::$DATA bug and that one was
> publicly revealed over 2 years ago.
> The one you refer to already has a patch on the MS site.
Yep. These kinds of bugs are mentioned in Phil Greenspun's Excellent
"Philip and Alex's Guide to Web Publishing" -- in the chapter "Sites
that are really programs" -- the book is a year old (and free on the
web) -- so these issues are apparently nothing new.
Check out the chapter here: ttp://photo.net/wtr/thebook/server-programming.html
| I haven't personally written any Microsoft Active Server
| Pages. Fortunately, Microsoft set up NT/IIS/ASP such that if
| you were curious to see the source code behind
| http://foobar.com/yow.asp, you had only to type
| "http://foobar.com/yow.asp." (note the trailing period) into
| your Netscape and the foreign server would deliver the
| source code right to your desktop. This was a great
| convenience for people trying to learn ASP; however, it
| presented something of a security problem for Web
| publishers, because they would often have their database or
| system administration passwords in the source code. It seems
| that Microsoft's intention was not to make public all of its
| customers' source code and hence they eventually released a
| security patch to change this behavior. However, a few
| months later people learned that requesting
| "http://foobar.com/yow.asp::$DATA" (note the trailing
| "::$DATA") would also get them the source code.
|
| Anyway, thanks to Microsoft's sloppiness, in just a
| couple of hours of surfing one night in July 1998, I managed
| to accumulate a nice collection of ASP examples at
| http://photo.net/wtr/thebook/aspharvest/. Note that I did my
| surfing some time after the bug had become common knowledge
| yet companies such as DIGITAL, Arthur Andersen, and banks
| had not patched their servers.
http://photo.net/wtr/thebook/aspharvest/ is the stuff he collected... He
goes on to make a broader point about security of this non-open source
product later:
| What you should have learned from this section is that,
| if you're going to use Microsoft server tools, you shouldn't
| take any programming shortcuts, leave the database or
| Administrator password in the code, or put any naughty words
| into comments. When the next NT/IIS/ASP bug is discovered
| and your source code becomes public, you want people to
| admire your work!
Which is pretty funny, and an excellent tip about good programming practice.
- Joe
--
Joe Crawford...........electronic mail -> mailto:joe@artlung.com
member......international mailing list -> http://evolt.org/
founder..San Diego/CA/USA mailing list -> http://www.websandiego.org/
Web Designer/etc.............about(me) -> http://www.artlung.com/