19. asp bug

Iii. Problems faced by servers that support ASP free homepage space and virtual host services

1. ASP code on the server may be illegally obtained by others with ASP permissions.

For example, in the asp1.0 routine provided by Microsoft, A. asp file is used to view the source code of other. asp files. The file is aspsamp/samples/code. asp. If someone uploads this program to the server, and the server does not take any preventive measures, it is easy for someone else to view the program.
For example:

Code. asp? Source =/directory/file. asp

2. The access mdb database may be downloaded. Generally, it is impossible to provide the service for setting the DSN on the free homepage server that provides ASP permissions, therefore, databases used by ASP programs are generally limited to MDB databases, the location of the MDB remote database is specified directly in ASP using the DSN-less method we mentioned in section 14th. The method is as follows:

<% Connstr = "DBQ =" + server. mappath ("database/source. mdb ") +"; defaultdir =; driver = {Microsoft Access Driver (*. MDB)}; driverid = 25; fil = MS access; implicitcommitsync = yes; maxbuffersize = 512; maxscanrows = 8; pagetimeout = 5; safetransactions = 0; threads = 3; usercommitsync = yes; "%>
As mentioned above, in this case, the MDB library may be downloaded by others, resulting in leakage of passwords.

Therefore, as a webmaster, some measures should be taken to prohibit programs such as code. asp (it seems difficult to do, But feature code can be retrieved regularly) and restrict MDB download.

3. Threats from powerful FileSystemObject Components

Iis3 and IIS4 ASP file operations can all be implemented through FileSystemObject, including read/write directory operations for text files, file copy and rename deletion, etc, however, this powerful feature leaves a very dangerous "backdoor ". Filesystemobjet can be used to tamper with any file on the FAT partition. Even NTFS partitions can also be damaged if permissions are not set. If you are not careful, you may suffer a "Disaster Tolerance ". Unfortunately, many webmasters only know how to run the Web server and seldom Set NTFS permissions. The default setting of NT directory permissions is terrible. Therefore, if you are a webmaster, the author strongly recommends that you pay close attention to server settings and try to build the web directory on the NTFS partition. Do not set the directory to everyone full control, even members in the Administrator group do not need full control, as long as they have read and Change permissions.
4. Attacks that ASP applications may face. In the past, many CGI message books or BBs on the Internet changed the messages entered by customers into a variable, then insert this variable into the HTML file that displays the message. Therefore, if the text entered by the customer needs to be displayed in the HTML file, it must comply with the HTML standard, CGI programs generally include specific HTML languages. When the user inputs the content and inserts the HTML file, it is inserted into the header and tail HTML statements at the same time, such:

<Font> variable input by the customer </font> but if you mark the front and back HTML on the screen, you can do a lot of things.

If you enter the following information:

</Font> the <font> before and after the <font> HTML-compliant statement is used to hide the HTML statement in CGI. Inserted into the HTML file becomes:

<Font> </font> HTML-compliant statements <font> </font> This feature makes it easy to write an endless Javascript loop, enter the following in the input box:

<A href = "url" onmouseover = "while (1) {window. close ('/')} "> or <a herf =" url "onmousever =" while (ture) {window. close ('/')} "> the browser of other customers who view the message will die due to an endless loop. The program developed by ASP may also have this problem. Therefore, when you use ASP to write similar programs, you should prevent such operations. For example, you can write a program to judge the client input, and shield all HTML and JavaScript statements.

After reading this article, if you are shocked, you must thoroughly check your existing website or ASP program to see if the above vulnerabilities exist. If you understand all the vulnerabilities mentioned in this article and have enough countermeasures, please remind you to check your website and ASP programs frequently, if you have databases, you should check them frequently to prevent others from exploiting unknown vulnerabilities. Finally, if you have any unique insights on ASP security issues discussed in this article or discover new vulnerabilities, I hope you can discuss them with me.