ASP Basics Tutorial: Blocking ASP Vulnerabilities

Whether you believe it or not, through the ASP, it is possible to easily invade the Web server, steal files on the server, capture the user passwords of systems such as Web databases, or even maliciously delete files on the server until the system is corrupted, which is not sensational, and indeed has happened, This article will give you one by one to reveal the vulnerabilities of these ASP, and put forward some preventive opinions.

In the previous article to focus on the "ADO access to the database how to page display" problem, a friend letter to me pointed out that I in the calculation of the total number of pages ignored an important parameter of the Recordset "PageCount", which can be assigned to Pagesize automatically the total number of pages, Instead of using "INT (rs.recordcount/pgsz*-1) *-1" as a tedious formula. I would like to thank this friend for his enthusiastic to point out the deficiencies in the program, because this program I wrote a long time ago, because the total number of records in the page display is not necessarily divisible by the number of pages to display records, and at that time I am not sure whether PageCount can correctly draw the number of pages, So lazy wrote this formula:), to tell the truth I have not tried to use PageCount, interested friends must try Oh, do not learn my laziness.

Recently, I found a lot of friends in Chinaasp BBS on the issue of some of the security problems of the ASP is not very understanding, and even do not know how to solve the most common asp:: $DATA show the source code problem, so I think it is very necessary to give the majority of friends here to talk about this issue, in the Chinaasp Asuka's consent, I will he once wrote a little about the ASP vulnerability Introduction plus some of my own practical experience to give you a detailed analysis of this for webmaster is crucial to the security of the ASP.

When last year:: $DATA of the vulnerability was found and published the next day, I have detected most of the domestic use of the ASP site, of which 99% of all exist above can see the source code problem, I even on the site of Microsoft grabbed the Search.asp this file source code. You may feel that there is nothing serious about seeing the source code, and it would be a big mistake to think of it as a webmaster. For example, if the ASP programmer will be the site's login password directly in the ASP, then once the source code is found, others can easily enter the page should not be seen, I have used this method for free to become a member of a toll site (you can not expose me Oh!), And many database connection user name and password are also directly written in the ASP, once discovered, if your database allows remote access and without fortification, it is quite dangerous. In some of the BBS programs developed by ASP, often using Access MDB library, if the MDB inventory put the path is known, the database is likely to be downloaded by others, and if the database contains the password is not encrypted, it is very dangerous, if the person who obtains the password intentionally malicious damage, he only need to Admin status Login To delete all BBS posts, it is enough for you to choke. The following is a list of some of the loopholes that have been found, I hope that everyone to increase vigilance one, after the experiment we found that the WIN95+PWS running ASP program, only need to simply in the browser address bar of the ASP file name after adding a small number of ASP program will be downloaded. IIS3 also has the same problem, if you are still using IIS3, be sure to test it. Shanghai Treatment Impotence Hospital}

Second, Iis2, Iis3, iis4 a well-known loophole is:: $DATA, through its use of IE's view source or Netscape direct access to the ASP file can easily see the ASP code. WIN98+PWS4 does not exist for this vulnerability.

What is the cause of this terrible loophole? The root of the problem is that the Windows NT-specific file system is doing the odd thing. People with a bit of common sense know that NT offers a completely different file system than FAT: NTFS, a technology called the new technology file system, gives NT a high level of security, but it also creates a lot of headaches. As you may not know, NTFS supports a majority of the data streams contained in a file, and the main stream that contains all the content is called "data", which makes it possible to easily capture a script in a file by accessing this feature of the NTFS system directly in the browser. However, the direct result: $DATA because IIS has a problem parsing the file name, it does not have a good specification of the filename.

How do we solve this problem? There are several ways to do this:

A, is the directory of the. asp file is set to unreadable (ASP can still execute), so that HTML, CSS and other files can not be placed in this directory, otherwise they will not be browsed.

B, is installed Microsoft provides the patch, the download address is as follows (note that there are different patches for different systems):

The patch is for IIS3, Intel platform

Ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis3-datafix/iis3fixi.exe

The patch is for IIS3, Intel platform

Ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis3-datafix/iis3fixa.exe

The patch is for IIS4, Alpha platform

Ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis4-datafix/iis4fixi.exe

The patch is for IIS4, Alpha platform

Ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis4-datafix/iis4fixa.exe

C, is installed on the server IE4.01SP1, this is effective, the author did not specifically tried.

D, the author's personal opinion, as far as possible to install the English version of NT, instead of using the Chinese version, the reason why the author is not sure, just according to practical experience English version of NT more than Chinese version of the bug, if any friend know the reason to tell me.

Three. Support for ASP's free home page space and virtual hosting services for servers facing problems

1. ASP code on the server is likely to be illegally acquired by other people who have ASP privileges.

For a very simple example, there is an. asp file in the Microsoft-provided ASP1.0 routines to view the source code of other. asp files, which are aspsamp/samples/code.asp. If someone uploads the program to the server, and the server does not have any precautions, he can easily see the other person's program.

For example:

Code.asp?source=/directory/file.asp

2. The Access MDB database that you use may be downloaded in general, it is not possible to provide services on behalf of DSN on the free home server that provides ASP permissions, so the database used by the ASP program is usually limited to using the MDB library, and the MDB remote database is located in the same location as the one we used in the 14th The Dsn-less method referred to in the interim is specified directly in the ASP, as follows:

<%CONNSTR = "dbq=" +server.mappath ("Database/source.mdb") + ";D efaultdir=;D river={microsoft Access DRIVER (*.mdb) };D riverid=25;fil=ms Access;implicitcommitsync=yes; maxbuffersize=512; maxscanrows=8; pagetimeout=5; safetransactions=0; threads=3; Usercommitsync=yes; " %>

As mentioned earlier, in this case the MDB library is likely to be downloaded by others, resulting in leaks such as passwords.

Therefore, as webmaster should take certain measures, prohibit code.asp such as the program (it seems difficult to do, but can periodically retrieve the feature code), restricting the MDB download.

3. Threats from powerful FileSystemObject components

IIS3, IIS4 ASP file operations can be implemented through FileSystemObject, including the text file read-write directory operation, file copy rename Delete, but this powerful feature also left a very dangerous "backdoor". Use Filesystemobjet to tamper with downloading any file on a FAT partition. Even if the NTFS partition, if the permissions are not set, the same can be destroyed, accidentally you may suffer "extinction." Unfortunately, many webmaster only know to let the Web server run, very few permissions to NTFS settings, and the default settings NT directory permissions is very low security and terrible. Therefore, if you are a Webmaster, the author strongly recommends that you pay close attention to the server settings, try to build the Web directory on an NTFS partition, directories do not set the Everyone full control, even if the members of the Administrators group is generally not necessary full control, As long as you have read, change permissions is sufficient.

Iv. possible attacks on ASP applications Many of the messages that the CGI has written on the Internet have changed the customer input into a variable, and then inserted the variable into the HTML file that displayed the message, so the text entered by the customer must match the HTM in the HTML file. Standard, and CGI programs typically include a specific HTML language. When the customer enters the content, the HTML file is inserted into the Kinsoku HTML statement, such as:

< font> customer input variables </font> But if you put the HTML tags back and forth to the screen, you can do a lot of things.

If the input is typed:

</font> The HTML-compliant statements < Font> < font> are used for HTML statements in the CGI. Inserted into the HTML file, it becomes:

< font></font> conforms to the HTML standard statement < font></FONT> Because of this feature, it makes it very easy to write a JavaScript's dead loop, just type in the input box:

< a href= "URL" onmouseover= "while (1) {Window.close (\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \ \ ')} "> or < a herf=" URL "onmousever=" while (ture) {window.close (\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \\\\\\\\\\\\\\\\\\\\\\ ')} ">

Then the browser of the other customer viewing the message will die due to a dead loop. ASP Development Program also may have this problem, so when you use ASP to write a similar program should be good to prevent such operations, such as can write a program to determine the client input, and block out all the HTML, Javascript statements.

After reading this issue, if you are shocked, then you must thoroughly check your existing website or ASP program to see if there are any of these vulnerabilities. If you have a good understanding of the loopholes mentioned in the text and have enough countermeasures, then in congratulating you, but also to remind you often check your website and ASP programs, if you have a database should also be viewed frequently, in case others exploit some of our unknown vulnerabilities to attack. Finally, if you have any unique insight into the ASP security issues discussed in this article, or have new discoveries about the vulnerabilities, I hope to hear from you.

ASP Basics Tutorial: Blocking ASP Vulnerabilities