ASP Tutorial: 18th block ASP Vulnerability

Whether you believe it or not, through the ASP, it may be easy to invade the Web server, the theft of files on the server, capture the Web database, such as the user password, or even malicious delete files on the server until the system damage, these are not sensational, and indeed have happened, This article will give you one by one to reveal the vulnerabilities of these ASP, and put forward some preventive advice.

In the last article, we focus on the "ADO access to the database how to page display" problem, a friend sent me a letter pointing out that I ignored an important parameter "PageCount" of the Recordset object when calculating the total number of pages, and it can automatically calculate the total number of pages after assigning a value to Pagesize. Without the use of "INT (rs.recordcount/pgsz*-1) *-1" Such a cumbersome formula. I would like to thank this friend for the zeal with which I pointed out the deficiencies in the procedure, since this program was written a long time ago, because the total number of records in the paging display does not necessarily divide the number of page display records, I am not sure whether PageCount can correctly draw the number of pages, So lazy wrote this formula: To tell the truth I have not tried to use PageCount, interested friends must try oh, but do not learn my laziness.

Recently, when I was discussing a problem on the BBS of chinaasp, I found that many friends didn't know much about the security of ASP. Do not even know how to solve the most common asp:: $DATA Display source code problems, so I think it is very necessary to give a large number of friends here to talk about this issue, in obtaining Chinaasp Bird's consent, I will he has written a little bit about ASP vulnerabilities and some of my own practical experience to give you a detailed analysis of this for the webmaster important ASP security issues.

When last year:: $DATA vulnerabilities were found and announced the next day, I have detected most of the domestic use of ASP sites, of which 99% have the above can see the source code problem, I even in Microsoft's site grabbed the Search.asp this file source code. You may find that it's no big deal to see the source code, and if you're webmaster, you're wrong. For example, if the ASP programmer will site login password directly written in the ASP, then once the source code is found, others can easily enter the page should not be seen, I have used this method for free to become a toll site members (people do not expose me Oh!) , and many database connection username and password are written directly in the ASP, once discovered, if your database allows remote access and there is no fortification is very dangerous. In some of the BBS programs developed with ASP, often using an Access MDB library, if the path to the MDB inventory is known, the database is likely to be downloaded by others, and if the database contains a password is not encrypted, it is very dangerous, the person who gets the password if intentional malicious destruction, he only need to Admin Identity Login Delete all BBS in the post, enough you choke. Here is a list of some of the vulnerabilities that have been found, I hope everyone to improve vigilance one, after the experiment we found that the WIN95+PWS running ASP program, simply in the browser address bar ASP file name after adding a small number of ASP program will be downloaded down. IIS3 also has the same problem, if you are still using IIS3 must be tested. A well-known vulnerability for
II, Iis2, IIS3, and IIS4 is that: $DATA, it is easy to see ASP code by using IE's view source or Netscape to access the ASP file directly. Win98+pws4 There is no such loophole.

What is the cause of this terrible loophole? The root of the problem is that Windows NT-specific file systems are doing strange things. People with a little common sense know that a file system that is completely different from FAT is provided in NT: NTFS, a technology called New technology file system makes NT have a higher security mechanism, but it is because it has caused a lot of headaches. As you may not know, NTFS supports a majority stream in a file, and the main data stream that contains all the content is called "data," making it possible to easily capture the script in the file by accessing this feature of the NTFS system directly in the browser. However, the direct result:: $DATA because IIS is having trouble parsing the filename, it does not have a good canonical file name.
How can we solve the problem? There are several ways:

A, the directory stored in the. asp file is set to unreadable (ASP can still execute), so that HTML, CSS and other files can not be placed in this directory, otherwise they will not be browsed.

b, is the installation of Microsoft-provided patches, download the address below (note that for different systems have different patches):

The patch is for IIS3, Intel platform

　　Ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis3-datafix/iis3fixi.exe

The patch is for IIS3, Intel platform

　　Ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis3-datafix/iis3fixa.exe

The patch is for IIS4, the Alpha platform

　　Ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis4-datafix/iis4fixi.exe

The patch is for IIS4, the Alpha platform

　　Ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis4-datafix/iis4fixa.exe

C, is installed on the server IE4.01SP1, this is effective, the author I have not specifically tried.

D, the author's personal opinion, as far as possible to install the English version of NT, and do not use the Chinese version, the reasons for the author is not sure, just according to practical experience in English version of the NT less than the Chinese version of the bug, if any friend know the reason must tell me.

Three. Problems with servers that support ASP's free home space and virtual hosting services

1, the ASP code on the server is likely to be other people with ASP permissions illegally acquired.

For a very simple example, there is an. asp file in the Microsoft ASP1.0 routine that is designed to view the source code for other. asp files, which is aspsamp/samples/code.asp. If someone uploads the program to the server and the server doesn't have any precautions, he can easily view other people's programs.
For example:

Code.asp?source=/directory/file.asp

2, the use of Access MDB database may be downloaded in general in the provision of ASP permissions on the free home server can not provide the service to set DSN, so the ASP program used by the database is usually limited to use the MDB library, and the MDB remote database is located in the location of the use of our 14th The Dsn-less method, as described in the interim, is specified directly in the ASP by the following methods:

<%CONNSTR = "dbq=" +server.mappath ("Database/source.mdb") + ";D efaultdir=;D river={microsoft Access DRIVER (*.mdb) };D riverid=25;fil=ms Access;implicitcommitsync=yes; maxbuffersize=512; maxscanrows=8; pagetimeout=5; safetransactions=0; threads=3; Usercommitsync=yes; " %>
As mentioned earlier, in this case the MDB library is likely to be downloaded by others, causing leaks such as passwords.

Therefore, as a webmaster should take certain measures, strictly prohibit the code.asp such programs (seemingly difficult to do, but can regularly retrieve feature code), to limit the download of MDB.

3. Threats from powerful FileSystemObject components

IIS3, IIS4 ASP file operations can be implemented through the FileSystemObject, including text files read and write directory operations, file copy renamed Delete, but this powerful feature also left a very dangerous "back door." Using Filesystemobjet, you can tamper with downloading any file on a FAT partition. Even NTFS partitions, if the permissions are not set, can also be destroyed, inadvertently you may suffer from "extinction." Unfortunately, a lot of webmaster only know that the Web server is running, the NTFS permissions are rarely set, and the default settings for NT directory permissions are unsafe and terrible. Therefore, if you are webmaster, the author strongly recommends that you pay close attention to the server settings, and try to build the Web directory on NTFS partitions, the directory does not set everyone Full control, even members of the Administrators group generally do not need to control, As long as there is read, change permissions is sufficient.
Four, the ASP application may face the attack in the past many of the Internet CGI write a message or BBS is the customer input into a variable, and then the variable inserted into the HTML file display message, so the customer input text to be displayed in the HTML file must conform to HTM L standard, and CGI programs are generally added to a specific HTML language. When the customer enters the content and inserts the HTML file, it is inserted into both the end-and-tail HTML statements, such as:

< font> customer input variable </font> But if the HTML tag before and after the screen, you can do a lot of things.

When typing:

</FONT> HTML-compliant statement < Font> < font> is used for HTML statements in a screen CGI. The insertion into the HTML file becomes:

< font></font> HTML-compliant statements < font></FONT> Because of such a feature, it makes it easy to write a dead loop of JavaScript, just enter in the input box:

< a href= "url" > or < a herf= "url" onmousever= "while (ture) {window.close ('/')} ' > so that other browsers that view the message will die in a dead loop. ASP developed programs may also have this problem, so when you use ASP to write similar programs should be done to prevent such operations, such as can write a program to determine the client input, and shielding all HTML, JavaScript statements.

After reading this period, if you are very shocked, then you must thoroughly to your existing website or ASP program for a check to see if there are such vulnerabilities. If you have an understanding of the vulnerabilities mentioned in the article and have adequate countermeasures, then congratulations to you, but also to remind you to often check your website and ASP programs, if you have a database should also be viewed frequently, in case others use some of our unknown vulnerabilities to attack. Finally, if you have any particular insights into the ASP security issues discussed in this article, or if you have any new discoveries about vulnerabilities, I hope you can write to me.