To read the article online, visit http://www.4GuysFromRolla.com/webtech/092298-1.shtml

Protecting Yourself Against ::$DATA


Introduction:
One of the advantages of ASP is that it is processed on the server side, and the client is sent only raw HTML. Therefore, your valuable code is not available for any old web surfer to view. However, back in July '98 a "security hole" was found, where web surfers could view the contents of your ASP files. This is bad. All they had and have to do, is type in ::$DATA at the end of the URL. (For example, "http://www.mydomain.com/myaspfile.asp::$DATA".) This can be fixed, though, although not everyone is aware of this security issue. Below is a question in the Active Server Pages Mailing List, and a corresponding answer from Peter Brunone.


Protecting Yourself:
The question :

I have a question regarding the "::$DATA" literal appended to the end of an HREF of an .asp page in the address bar of a browser (e.g. www.blah.com/blah/aspPage.asp::$DATA). I notice at some web sites, adding this reveals all server sid e scripting. However other sites have this disabled. How can you disable this so that server side code is not revealed? I don't know whether this is an IIS switch or an .asp function.

And the answer from Mr. Brunone:

Actually, this is a characteristic of all NT files. Scary, isn't it?

You can disable this by setting ASP directories to have only execute permissions (and NOT Read permissions). That way your asp files will never be read (as in the data stream you've been getting); they will only be executed, yielding simple HTML to the client.



Conclusion:
As mentioned in the introduction, this security problem has been known since July of 1998. If you have yet to fix this on your web server, you may wish to do so promptly. Remember, part of the appeal of Active Server Pages is the fact that your code is hidden from the prying eyes of your competitors. Happy Programming!


UPDATE!!!

There is a hotfix available for the ::$DATA bug available at http://www.microsoft.com/ntserver/nts/downloads/archive/NTOPQFE/default.asp.

You should also be sure to read this KB article at Microsoft's site: ::$DATA Data Stream Name May Return Source (Microsoft KB Article)



Article Information
Article Title: Protecting Yourself Against ::$DATA
Article Author: Scott Mitchell
Published Date: Tuesday, September 22, 1998
Article URL: http://www.4GuysFromRolla.com/webtech/092298-1.shtml


Copyright 2014 QuinStreet Inc. All Rights Reserved.
Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers