Re: guidelines for secure ASP pages

From: Arvind Shyamsundar (Arvind.Shyamsundarat_private)
Date: Wed May 02 2001 - 00:34:06 PDT

  • Next message: Casper Dik: "Re: Question on dropping privileges"

    Hi Graham,
    
    The exploit you refer to is the "showcode.asp" exploit which emerged in
    1999. Other exploits of similar nature exist, all based on the fact that
    sensitive application code in the form of SAMPLE code is installed when IIS,
    MDAC etc. are installed using a 'typical' setup.
    
    Always go to great lengths to ensure that such sample files are never
    installed on production web servers, and do an audit of virtual directories,
    files under them to ensure the same. It is definitely a bad idea to assume
    anything about the bad guys not being able to see your code ;-)
    
    Always wrap your business logic and data access into components, which you
    can then call from ASP... thereby you get one more layer to hide behind.
    
    Microsoft has a checklist which might help you:
    
    http://www.microsoft.com/technet/security/iischk.asp
    
    Regards,
    
    Arvind Shyamsundar
    
    Brainbench MVP for Internet Security
    http://www.brainbench.com
    
    -----Original Message-----
    From: Graham Coles [mailto:graham.coles@RETAIL-LOGIC.COM]
    Sent: Tuesday, May 01, 2001 11:02 PM
    Subject: guidelines for secure ASP pages
    
    
    Someone recently asked me about this - are there any URLs
    or text files that provide a routine checklist of things to be
    avoided when writing web pages using asp (ie not hardcoding
    passwords etc)?
    
    The question was based around not being able to obtain the
    source of an asp page from IIS 4 (NT) - I've seen a number
    of ways around this which I assume have been fixed if all of
    the latest patches have been applied, however is it just a
    really bad idea to assume that unauthorized people won't
    be able to see the source to these pages or does this actually
    work in practice?
    
    --
    Graham Coles
    This message contains confidential information and is intended only for the
    individual named. If you are not the named addressee you should not
    disseminate, distribute or copy this e-mail. Please notify the sender
    immediately by e-mail if you have received this e-mail by mistake and delete
    this e-mail from your system. E-mail transmission cannot be guaranteed to be
    secure or error-free as information could be intercepted, corrupted, lost,
    destroyed, arrive late or incomplete, or contain viruses.The sender
    therefore does not accept liability for any errors or omissions in the
    contents of this message which arise as a result of e-mail transmission. If
    verification is required please request a hard-copy version
    



    This archive was generated by hypermail 2b30 : Wed May 02 2001 - 12:04:31 PDT