Blocking ASP Vulnerabilities

Whether you believe it or not, ASP can easily intrude into the web server, steal files on the server, and capture user passwords of Web databases, even maliciously deleting files on the server until the system is damaged, these are all sensational and have actually occurred. This article will reveal the vulnerabilities in ASP to you one by one, and put forward some preventive opinions.

The previous article focuses on how to display the database by page when accessing the database by ADO, A friend wrote to me That I ignored an important parameter "pagecount" of the recordset object when calculating the total number of pages. It can automatically obtain the total number of pages after assigning a value to pagesize, instead of using "int (RS. recordcount/pgsz *-1) *-1. I would like to thank this friend for kindly pointing out the shortcomings in the program, because this program was written a long time ago, because the total number of records on the page may not be able to display the number of records on the page, but at that time I was not sure whether pagecount could correctly calculate the number of pages, so I am lazy and wrote this formula :) To tell the truth, I haven't tried pagecount yet. If you are interested, please do not study my laziness.

Recently, When I discussed issues on the chinaasp BBS, I found that many of my friends do not know much about ASP security issues, or even how to solve the most common ASP: $ data source code display problems, therefore, I think it is very necessary to focus on this issue for the majority of friends. With the consent of chinaasp, I will give you a detailed analysis of ASP security issues that are critical to the webmaster by introducing ASP vulnerabilities and some of my own practical experience.

On the second day of last year: $ data was discovered and announced, I detected most of the sites that used ASP in China at that time, 99% of which were able to see the source code, on that day, I even captured search on Microsoft's website. source code of the ASP file. You may think that the source code is not serious. If you think so as a webmaster, it is a big mistake. For example, if the ASP programmer writes the login password of the site directly in ASP, once the source code is found, others can easily access the page that should not be seen, I used this method to become a paid Website member for free (don't expose me !), In addition, many database connection usernames and passwords are directly written in ASP. Once discovered, it would be quite dangerous if your database allows remote access without being defended. In some BBS programs developed using ASP, the access MDB library is often used. If the path of the MDB inventory is known, the database may be downloaded by others, in addition, if the password contained in the database is not encrypted, it is very dangerous. If the person who obtains the password intentionally destroys the password, he only needs to log in as admin to delete all BBS posts, that's enough for you. The following lists some vulnerabilities that have been detected. I hope you can be vigilant. I. After experiment, we found that ASP programs run on Win95 + PWS, simply add a decimal point ASP program after the ASP file name in the address bar of the browser to download it. Iis3 also has the same problem. If you are still using iis3, you must test it.

2. a widely known vulnerability in iis2, iis3, and IIS4 is: $ data, you can use IE's View Source or Netscape to directly access the ASP file to easily see ASP code. This vulnerability does not exist in WIN98 + pws4.

What is the cause of this terrible vulnerability? The root cause is that the file system exclusive to Windows NT is playing a strange role. People with a little knowledge know that NT provides a file system completely different from fat: NTFS, a technology called the New Technology file system, which enables nt to have a high security mechanism, but it is precisely because of it that it has produced many headaches. As you may not know, NTFS supports multiple data streams contained in a file. The main data stream that contains all the content is called "data ", therefore, it is possible to easily capture script programs in files by directly accessing the NTFS system in a browser. However, the cause is: $ data is that IIS fails to parse the file name and does not properly regulate the file name.

How can we solve this problem? There are several methods:

A. Set the directory where. asp files are stored as unreadable (ASP can still be executed), so that HTML, CSS and other files cannot be placed in this directory, otherwise they will not be browsed.

B. Install the patch provided by Microsoft. The download address is as follows (note that there are different patches for different systems ):

This patch is for iis3 and Intel platforms.

Bytes

This patch is for iis3 and Intel platforms.

Bytes

This patch is for the IIS4 and Alpha platforms.

Bytes

This patch is for the IIS4 and Alpha platforms.

Bytes

C. Whether ie4.01sp1 is installed on the server. I have not tried it.

D. Let alone the author's personal opinions. Try to install the English version of NT instead of the Chinese version. The reason is that the author cannot tell the reason, but according to practical experience, the English version of NT has fewer bugs than the Chinese version, if anyone knows the reason, please tell me.

Iii. Problems faced by servers that support ASP free homepage space and virtual host services

1. ASP code on the server may be illegally obtained by others with ASP permissions.

For example, in the asp1.0 routine provided by Microsoft, A. asp file is used to view the source code of other. asp files. The file is aspsamp/samples/code. asp. If someone uploads this program to the server, and the server does not take any preventive measures, it is easy for someone else to view the program.

For example:

Code. asp? Source =/directory/file. asp
2. The access mdb database may be downloaded. Generally, it is impossible to provide the service for setting the DSN on the free homepage server that provides ASP permissions, therefore, databases used by ASP programs are generally limited to MDB databases, the location of the MDB remote database is specified directly in ASP using the DSN-less method we mentioned in section 14th. The method is as follows:

<% Connstr = "DBQ =" + server. mappath ("database/source. mdb ") +"; defaultdir =; driver = {Microsoft Access Driver (*. MDB)}; driverid = 25; fil = MS access; implicitcommitsync = yes; maxbuffersize = 512; maxscanrows = 8; pagetimeout = 5; safetransactions = 0; threads = 3; usercommitsync = yes; "%>

As mentioned above, in this case, the MDB library may be downloaded by others, resulting in leakage of passwords.

Therefore, as a webmaster, some measures should be taken to prohibit programs such as code. asp (it seems difficult to do, But feature code can be retrieved regularly) and restrict MDB download.

3. Threats from powerful FileSystemObject Components

Iis3 and IIS4 ASP file operations can all be implemented through FileSystemObject, including read/write directory operations for text files, file copy and rename deletion, etc, however, this powerful feature leaves a very dangerous "backdoor ". Filesystemobjet can be used to tamper with any file on the FAT partition. Even NTFS partitions can also be damaged if permissions are not set. If you are not careful, you may suffer a "Disaster Tolerance ". Unfortunately, many webmasters only know how to run the Web server and seldom Set NTFS permissions. The default setting of NT directory permissions is terrible. Therefore, if you are a webmaster, the author strongly recommends that you pay close attention to server settings and try to build the web directory on the NTFS partition. Do not set the directory to everyone full control, even members in the Administrator group do not need full control, as long as they have read and Change permissions.

4. Attacks that ASP applications may face. In the past, many CGI message books or BBs on the Internet changed the messages entered by customers into a variable, then insert this variable into the HTML file that displays the message. Therefore, if the text entered by the customer needs to be displayed in the HTML file, it must comply with the HTML standard, CGI programs generally include specific HTML languages. When the user inputs the content and inserts the HTML file, it is inserted into the header and tail HTML statements at the same time, such:

<Font> variable input by the customer </font> but if you mark the front and back HTML on the screen, you can do a lot of things.

If you enter the following information:

</Font> the <font> before and after the <font> HTML-compliant statement is used to hide the HTML statement in CGI. Inserted into the HTML file becomes:
<Font> </font> HTML-compliant statements <font> </font> This feature makes it easy to write an endless Javascript loop, enter the following in the input box:
<A href = ".. /.. /url "onmouseover =" while (1) {window. close (////////////////////////////////////// ////////////////////////')} "> or <a herf =" url "onmousever =" while (ture) {window. close (////////////////////////////////////// ///////////////////////////////')} ">

The browser of other customers who view the message will die due to an endless loop. The program developed by ASP may also have this problem. Therefore, when you use ASP to write similar programs, you should prevent such operations. For example, you can write a program to judge the client input, and shield all HTML and JavaScript statements.

After reading this article, if you are shocked, you must thoroughly check your existing website or ASP program to see if the above vulnerabilities exist. If you understand all the vulnerabilities mentioned in this article and have enough countermeasures, please remind you to check your website and ASP programs frequently, if you have databases, you should check them frequently to prevent others from exploiting unknown vulnerabilities. Finally, if you have any unique insights on ASP security issues discussed in this article or discover new vulnerabilities, I hope you can discuss them with me.