Aside: ability to view ASP/ColdFusion code
andrews at ltinet.net
Thu Jul 2 17:56:27 UTC 1998
This applies as well to perl and cgi scripts (cgi in iis3.0)
MS hasn't fixed their own site (heh), but they promise a fix today.
In the meantime, Christoph Wille <Christoph.Wille at softwing.com> from Sofwing
made available an IIS ISAPI filter that will protect a site from the ::$DATA
vulnerability. You can find it at
From: Manar Hussain <manar at ivision.co.uk>
>This isn't really a NANOG issue so I'll keep it brief - I'm mentioning it
>as it's something people here may well want to consider and pass on to
>customers with NT servers.
>Another MS security whole allows people to access the code for
>ASP/ASA/ColdFusion pages by adding ::$data to the URL.
>I understand that using SiteServer or making the file non-readable (but
>retaining execute permissions!) "solves" the problem.
More information about the NANOG