>- In the Altavisa search engine execute a search for >+"Microsoft VBScript runtime error" +".inc, " >- Look for search results that include the full >path and filename for an include (.inc) file. >- Append the include filename to the host name >and call this up in a web browser. >Example: www.rodney.com/stationery/browser.inc If you follow any of the ASP newsgroups, websites, or mailing lists they always recommend one of 2 actions to prevent problems with include files. 1. Associate .inc files with the asp interpreter. 2. Name all of you include files with the .asp extension instead of .inc. There is no reason that the files need and .inc extension. This will insure that if someone finds the name of your include file through an error or even by guessing they will not see anything compromising. In regards to the specific issues above: "Active server pages (ASP) with runtime errors expose a security hole that publishes the full source code name to the caller" This can be prevented at the server level by changing the "Script Error Messages" property in IIS from "Send detailed ASP error messages to client" to Send text error message to client". This property then lets you specify what error message to send. All further errors with simply receive that text message instead of the actual error.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:02 PDT