Hi Graham, The exploit you refer to is the "showcode.asp" exploit which emerged in 1999. Other exploits of similar nature exist, all based on the fact that sensitive application code in the form of SAMPLE code is installed when IIS, MDAC etc. are installed using a 'typical' setup. Always go to great lengths to ensure that such sample files are never installed on production web servers, and do an audit of virtual directories, files under them to ensure the same. It is definitely a bad idea to assume anything about the bad guys not being able to see your code ;-) Always wrap your business logic and data access into components, which you can then call from ASP... thereby you get one more layer to hide behind. Microsoft has a checklist which might help you: http://www.microsoft.com/technet/security/iischk.asp Regards, Arvind Shyamsundar Brainbench MVP for Internet Security http://www.brainbench.com -----Original Message----- From: Graham Coles [mailto:graham.coles@RETAIL-LOGIC.COM] Sent: Tuesday, May 01, 2001 11:02 PM Subject: guidelines for secure ASP pages Someone recently asked me about this - are there any URLs or text files that provide a routine checklist of things to be avoided when writing web pages using asp (ie not hardcoding passwords etc)? The question was based around not being able to obtain the source of an asp page from IIS 4 (NT) - I've seen a number of ways around this which I assume have been fixed if all of the latest patches have been applied, however is it just a really bad idea to assume that unauthorized people won't be able to see the source to these pages or does this actually work in practice? -- Graham Coles This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version
This archive was generated by hypermail 2b30 : Wed May 02 2001 - 12:04:31 PDT