Home > Developer > ASP

ASP vulnerability Analysis and resolution method

Source: Internet
Author: User
Tags file system ini mdb database access database access
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Solution to ASP vulnerability Analysis and resolution


Some people say that a computer that is not connected to the outside is the safest computer, a computer that shuts down all the ports and does not provide any services is also the safest. Hackers often use me
Ports that are open to attack, the most common of these attacks is DDoS (denial of service attacks). Below I will list the ASP more than 20 vulnerabilities, each vulnerability can be traced
and solutions.

1 in the ASP program after adding a special symbol, can see the ASP source program

Affected version:
Win95+pws
IIS3.0
98+pws4 There is no such loophole.
There is no such loophole in the version above IIS4.0.
Problem Description:
These special symbols include decimal points,%81,:D ATA. Like what:
Http://someurl/somepage.asp.
http://someurl/somepage.asp%81
http://someurl/somepage.asp:data
http://someurl/somepage.asp%2e
http://someurl/somepage%2e%41sp
http://someurl/somepage%2e%asp
http://someurl/somepage.asp%2e
Http://someurl/msadc/samples/selector/showcode.asp?source=/msadc/samples/../../../../../../boot.ini (CAN
See the contents of the Boot.ini file)
Then it is easy to see the somepage.asp source program in the IIS3.0 and WIN95+PWS browsing. What is the cause of this terrible loophole?
The root of the problem is that Windows NT-specific file systems are doing strange things. People with a little common sense know that a file system that is completely different from FAT is provided in NT:
NTFS, the technology called New technology file system makes NT have a higher security mechanism, but it is because it caused a lot of headaches. Everyone
It may not be known that NTFS supports a majority stream in a file, and that the main data stream that contains all the content is called "data", so that the browser
It is possible to easily capture the script in a file by directly accessing this feature of the NTFS system. However, the direct cause of:D ATA is due to the fact that IIS
There was a problem parsing the filename, and it did not properly standardize the file name.

Solutions and Recommendations:
If it is a Winodws NT user, installing IIS4.0 or iis5.0,windows2000 does not have this problem. If you are a Win95 user, install WIN98 and PWS4.0.

2 vulnerabilities where ACCESS MDB databases may be downloaded

Problem Description:
When you use Access as a background database, if someone knows or guesses the path and database name of the server's Access database in various ways, then he can
It is very dangerous to download this Access database file. For example, if your Access database is Book.mdb under a virtual directory,
Someone in the browser to enter:
http://Someurl/database/book.mdb
If your Book.mdb database is not encrypted beforehand, all the important data in the Book.mdb is in the hands of others.

Workaround:
(1) Make a complicated unconventional name for your database file name and put it in a few eyes
Recorded. The so-called "unconventional", for example: there is a database to keep the information about books, but do not put him a "Book.mdb" name, a strange name
Say, like D34ksfslf.mdb, and then put him in a few layers of/kdslf/i44/studi/, so that hackers want to guess the way your Access database
Files are even harder.

(2) Do not write the database name in the program. Some people like to write DSN in a program, such as:

DBPath = Server.MapPath ("Cmddb.mdb")
Conn. Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath

If you get a source program, your Access database will have a glance in the name. Therefore, it is recommended that you set up a data source in ODBC and then write it in the program:
Conn.Open "Shujiyuan"

(3) Use Access to encode and encrypt the database files. First in the Select tool-> ann
Full-> Encrypt/Decrypt the database, select the database (such as: Employer.mdb), then confirm, then the "Database encrypted Save as" window, Save as:
Employer1.mdb. Then the employer.mdb will be encoded and stored as employer1.mdb.
Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view
The contents of the database file.
Next we encrypt the database, first by opening the encoded Employer1.mdb, and when we open it, select "Exclusive" mode. Then select the function table's tools-
> Security-> Set the database password, then enter the password.
After you have set a password for Employer1.mdb, then if you use the Accees database file again, Access asks for a password before it can be verified correctly.
Move the database.
However, to add PWD parameters to the Connection object's open method in an ASP program, for example:
param= "Driver={microsoft Access driver (*.mdb)}; Pwd=yfdsfs "
param=param& ";d bq=" &server.mappath ("Employer1.mdb")
Conn.Open param
So even if someone gets the Employer1.mdb file, he can't see Employer1.mdb without a password.



This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
asp net and asp get method and post method class method and instance method horizontal and vertical resolution dpi get and post method mix and split method investments analysis and management
Related Article
ASP. NET core combined with consul cluster &docker to rea...
ASP. NET Core SignalR uses a generic hub to gracefully invoke...
ASP. NET Core 2.0 leverages Masstransit integrated RABBITMQ
Integration testing of ASP. NET Core Webapi using Xunit
CKEDITOR + CKFINDER image upload configuration (C #/asp.net/php)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More