When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles
ASPFAQs.com
Message Board
Related Web Technologies
User Tips!
Coding Tips

Sections:
Sample Chapters
Commonly Asked Message Board Questions
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Security
Stump the SQL Guru!
XML Info
Information:
Feedback
Author an Article
ASP ASP.NET ASP FAQs Message Board Feedback
Print this page.
Published: Saturday, April 01, 2000

Security Hole - Users can View your ASP Source Code!


Another security hole has been detected. This security hole will let users view the source code for your ASP pages by visiting the following URL:

    - continued -

    http://www.yoursite.com/null.htw?CiWebHitsFile=/yourfile.asp%20&CiRestriction=none&CiHiliteType=Full

A patch is available from Microsoft to fix this problem. Get the fix at:

To learn more about security issues with ASP/IIS, be sure to read ASP Security Holes. You can also join the ASP Security Holes listserv over at ASPLists.com.

Here are some selected messages from the discussion on the ASP Security Holes ListServ:

From John D.
Aside from installing the microsoft patch, I removed all the application mappings (except .asa .asp) under the Home Directory / Configuration for the WWW Service properties to keep anything else from being executed. This will keep IIS from executing (associating file with ISAPI filter) unwanted extensions.

To do this:

01. Open the Microsoft Management Console
02. Right click the server name and select "properties"
03. Select your master properties for the site (usually "WWW Service") and click EDIT
04. Now select the HOME DIRECTORY tab and click the CONFIGURATION button.
05. Remove all application mappings you are not currently using (i left .asa and .asp)
* You may be prompted for child nodes, just accepts as this will propagate across all hosted sites under IIS


Other Security Issues with ASP

  • Protecting yourself Against ::$DATA


  • ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article