North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Aside: ability to view ASP/ColdFusion code
This applies as well to perl and cgi scripts (cgi in iis3.0) For example: http://www.activestate.com/lyris/lyris.pl::$DATA MS hasn't fixed their own site (heh), but they promise a fix today. http://www.microsoft.com/default.asp::$DATA In the meantime, Christoph Wille <[email protected]> from Sofwing has graciously made available an IIS ISAPI filter that will protect a site from the ::$DATA vulnerability. You can find it at http://www.softwing.com/iisdev/ddatafix/ Andrew -----Original Message----- From: Manar Hussain <[email protected]> >This isn't really a NANOG issue so I'll keep it brief - I'm mentioning it >as it's something people here may well want to consider and pass on to >customers with NT servers. > >Another MS security whole allows people to access the code for >ASP/ASA/ColdFusion pages by adding ::$data to the URL. > >E.g. > >http://www.allaire.com/handlers/index.cfm::$DATA > >http://www.watford.co.uk/global.asa::$DATA > >http://www.datareturn.com/av-asp.asp::$DATA > >I understand that using SiteServer or making the file non-readable (but >retaining execute permissions!) "solves" the problem. > >Regards, > >Manar |