Aside: ability to view ASP/ColdFusion code

• Previous message (by thread): Aside: ability to view ASP/ColdFusion code
• Next message (by thread): An irrelavant thread.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This applies as well to perl and cgi scripts (cgi in iis3.0)

For example:
http://www.activestate.com/lyris/lyris.pl::$DATA

MS hasn't fixed their own site (heh), but they promise a fix today.
http://www.microsoft.com/default.asp::$DATA

In the meantime, Christoph Wille <Christoph.Wille at softwing.com> from Sofwing
has graciously
made available an IIS ISAPI filter that will protect a site from the ::$DATA
vulnerability. You can find it at
http://www.softwing.com/iisdev/ddatafix/

Andrew

-----Original Message-----
From: Manar Hussain <manar at ivision.co.uk>


>This isn't really a NANOG issue so I'll keep it brief - I'm mentioning it
>as it's something people here may well want to consider and pass on to
>customers with NT servers.
>
>Another MS security whole allows people to access the code for
>ASP/ASA/ColdFusion pages by adding ::$data to the URL.
>
>E.g.
>
>http://www.allaire.com/handlers/index.cfm::$DATA
>
>http://www.watford.co.uk/global.asa::$DATA
>
>http://www.datareturn.com/av-asp.asp::$DATA
>
>I understand that using SiteServer or making the file non-readable (but
>retaining execute permissions!) "solves" the problem.
>
>Regards,
>
>Manar

• Previous message (by thread): Aside: ability to view ASP/ColdFusion code
• Next message (by thread): An irrelavant thread.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]