To read the article online, visit http://www.4GuysFromRolla.com/webtech/040100-2.shtml

Security Hole - Users can View your ASP Source Code!


Another security hole has been detected. This security hole will let users view the source code for your ASP pages by visiting the following URL:

    http://www.yoursite.com/null.htw?CiWebHitsFile=/yourfile.asp%20&CiRestriction=none&CiHiliteType=Full

A patch is available from Microsoft to fix this problem. Get the fix at:

To learn more about security issues with ASP/IIS, be sure to read ASP Security Holes. You can also join the ASP Security Holes listserv over at ASPLists.com.

Here are some selected messages from the discussion on the ASP Security Holes ListServ:

From John D.
Aside from installing the microsoft patch, I removed all the application mappings (except .asa .asp) under the Home Directory / Configuration for the WWW Service properties to keep anything else from being executed. This will keep IIS from executing (associating file with ISAPI filter) unwanted extensions.

To do this:

01. Open the Microsoft Management Console
02. Right click the server name and select "properties"
03. Select your master properties for the site (usually "WWW Service") and click EDIT
04. Now select the HOME DIRECTORY tab and click the CONFIGURATION button.
05. Remove all application mappings you are not currently using (i left .asa and .asp)
* You may be prompted for child nodes, just accepts as this will propagate across all hosted sites under IIS


Other Security Issues with ASP

  • Protecting yourself Against ::$DATA


  • Article Information
    Article Title: Security Hole - Users can View your ASP Source Code!
    Article Author: Scott Mitchell
    Published Date: Saturday, April 01, 2000
    Article URL: http://www.4GuysFromRolla.com/webtech/040100-2.shtml


    Copyright 2017 QuinStreet Inc. All Rights Reserved.
    Legal Notices, Licensing, Permissions, Privacy Policy.
    Advertise | Newsletters | E-mail Offers