Resolving 3 code.asp files will leak ASP code
Problem Description:
For a very simple example, there is an. asp file in the Microsoft ASP1.0 routines, designed to view the source code for other. asp files, which is
Aspsamp/samples/code.asp. If someone uploads the program to the server and the server doesn't have any precautions, he can easily view his
Person's program. For example:
Code.asp?source=/directory/file.asp
However, this is a relatively old loophole, I believe that there are few such vulnerabilities.
The following command is relatively new:
Http://someurl/iissamples/exair/howitworks/code.asp?/lunwen/soushuo.asp=xxx.asp
The biggest harm is that ASA file can be read in the way above, the database password in plaintext form exposed to the eyes of the hacker;
Problem solving or suggestion:
For an ASP program file with the show ASP code from IIS, either delete the file or disable access to the directory
4. FileSystemObject component tampering with a vulnerability to download any file on a FAT partition
Problem Description:
IIS3, IIS4 ASP file operations can be implemented through the FileSystemObject, including text files read and write directory operations, file copy renamed Delete
In addition to waiting, but this powerful function also left a very dangerous "back door." Using Filesystemobjet, you can tamper with downloading any file on a FAT partition. Even
is an NTFS partition, if the permissions are not set, the same can be destroyed, accidentally you may suffer from "extinction." Unfortunately, a lot of webmaster only know
The Web server is run with little permissions set on NTFS, and the default setting for NT directory permissions is horribly low. Therefore, if you are
Webmaster, it is recommended that you pay close attention to the server settings, and try to build the Web directory on an NTFS partition, which does not set everyone's full control, even if
is a member of the Administrators group generally there is no need for full control, as long as there is read, change permissions is sufficient. You can also delete the FileSystemObject component.
except or renaming.
5, the input standard HTML statement or JavaScript statement will change the output results
Problem Description:
What is the result of entering a standard HTML statement in an input box?
such as a message book, we enter the content of the message:
<font size=10> Hello! </font>
If your ASP program does not block HTML statements, it will change the "Hello" font size. Change font size and texture in the message book sometimes it's not that bad.
Things, but can make the message lively. But if you write a dead loop of JavaScript in the input box, for example: <a herf= "Http://someurl"
Onmouseover= ' while (1) {window.close ('/')} ' > Mega news </a>
Then other visitors to view the message as long as the mobile mouse to "Mega News", on the user's browser because of the death cycle and die.
Solutions and Recommendations:
You should guard against such operations when writing similar programs, such as writing a program to judge input from the client and masking all HTML, Javascript
Statement.
