Published: Saturday, April 01, 2000
Security Hole - Users can View your ASP Source Code!
Another security hole has been detected. This security hole will let users view the source code
for your ASP pages by visiting the following URL:
A patch is available from Microsoft to fix this problem. Get the fix at:
To learn more about security issues with ASP/IIS, be sure to read
ASP Security Holes. You can also join the
ASP Security Holes listserv over at
ASPLists.com.
Here are some selected messages from the discussion on the
ASP Security Holes ListServ:
From John D.
Aside from installing the microsoft patch, I removed all the application
mappings (except .asa .asp) under the Home Directory / Configuration for the
WWW Service properties to keep anything else from being executed. This will
keep IIS from executing (associating file with ISAPI filter) unwanted
extensions.
To do this:
01. Open the Microsoft Management Console
02. Right click the server name and select "properties"
03. Select your master properties for the site (usually "WWW Service") and
click EDIT
04. Now select the HOME DIRECTORY tab and click the CONFIGURATION button.
05. Remove all application mappings you are not currently using (i left .asa
and .asp)
* You may be prompted for child nodes, just accepts as this will propagate
across all hosted sites under IIS
|
Other Security Issues with ASP
Protecting yourself Against ::$DATA
