Another security hole has been detected. This security hole will let users view the source code for your ASP pages by visiting the following URL:
http://www.yoursite.com/null.htw?CiWebHitsFile=/yourfile.asp%20&CiRestriction=none&CiHiliteType=Full
A patch is available from Microsoft to fix this problem. Get the fix at:
To learn more about security issues with ASP/IIS, be sure to read ASP Security Holes. You can also join the ASP Security Holes listserv over at ASPLists.com.
Here are some selected messages from the discussion on the ASP Security Holes ListServ:
From John D. Aside from installing the microsoft patch, I removed all the application mappings (except .asa .asp ) under the Home Directory / Configuration for the
WWW Service properties to keep anything else from being executed. This will
keep IIS from executing (associating file with ISAPI filter) unwanted
extensions.
To do this:
01. Open the Microsoft Management Console |
Other Security Issues with ASP