ASP vulnerabilities and Security suggestions (I)

Author: xiaoyunyi Preface
Microsoft Active Server Pages (ASP) is a Server-side scripting environment that allows you to create and run dynamic and interactive Web Server applications. Using ASP, you can combine HTML pages, script commands, and
ActiveX components to create interactive Web pages and Web-based powerful applications.
At present, many websites, especially e-commerce websites, are mostly implemented using ASP at the front-end. So now ASP is widely used in website applications.
ASP is a quick tool for developing website applications. However, some website administrators only view ASP's rapid development capabilities, but ignore ASP security issues. ASP has been plagued by many vulnerabilities and backdoors since the very beginning, including the nightmare of % 81, password verification issues, and IIS vulnerabilities, which have all been shocking to ASP Website developers.
This article attempts to describe ASP security issues and provide solutions or suggestions based on the operating system vulnerabilities of ASP services and ASP program vulnerabilities.

Two keywords

ASP, network security, IIS, SSL, encryption.

3. ASP Mechanism

The Active Server Page technology provides an intuitive, fast, and efficient script-based application development method for application developers, greatly improving the development effect. Before discussing ASP security, let's take a look at how ASP works. ASP scripts are written in plain text.

ASP scripts are text-formatted files written in a series of specific syntaxes (vbscript and jscript are currently supported) that are mixed with standard HTML pages. When an end user of the client accesses an ASP-based application through the INTERNET using a WEB browser, the WEB browser sends an HTTP request to the WEB server. After the WEB server analyzes and determines that the request is an ASP script application, it automatically calls the ASP script interpretation engine (ASP. DLL) through the ISAPI ). ASP. DLL obtains the specified ASP script file from the file system or internal buffer, and then performs syntax analysis and interpretation. The final processing result is HTML content, which is returned to the WEB browser through the WEB server "original path", and the final result is displayed by the WEB browser on the client. This completes a complete ASP script call. Several Organic ASP script calls constitute a complete ASP script application.
Let's take a look at the environment required to run ASP:
Microsoft Internet Information Server 3.0/4.0/5.0 on NT Server
Microsoft Internet Information Server 3.0/4.0/5.0 on Win2000
Microsoft Personal Web Server on Windows 95/98
Microsoft IIS in windows nt Option Pack provides powerful functions, but IIS is dangerous in terms of network security. Because Windows 95/98 is rarely used as a server, I will discuss more about IIS security issues in NT.

Iv. Security advantages of ASP claimed by Microsoft
Although this article focuses on ASP vulnerabilities and backdoors, it is necessary to talk about ASP's "advantages" in terms of network security "", the reason is that the "advantages" that Microsoft claims are precisely the hidden criminals of its security.
Microsoft said that one of the major advantages of ASP in network security is that users cannot see the source program of ASP,
According to the principle of ASP, ASP executes and interprets Standard HTML statements on the server end, and then transmits them to the client browser. The "shield" source program can well maintain the copyright of ASP developers. Imagine that you have worked so hard to create a very good program that allows anyone to COPY it. What do you think? Moreover, hackers can analyze your ASP program and pick out vulnerabilities. More importantly, some ASP developers like to write passwords, privileged usernames, and paths in the program, so that others can guess the password and path, it is easy to find the "ENTRANCE" of the Attack System ". However, we have discovered many vulnerabilities that can be used to view ASP source programs. We will discuss them later.
IIS supports virtual directories. You can use the "directory" label in the "server properties" dialog box
To manage virtual directories. Creating a virtual directory is of great significance for managing WEB sites. The virtual directory hides important information about the site directory structure. In the browser, you can easily obtain the file path information of the page by selecting "View Source Code". If you use the physical path on the web page, this exposes important information about the site directory, which can easily lead to system attacks. Second, as long as the two machines have the same virtual directory, you can move the WEB page from one machine to another without making any changes to the page code. In addition, when you place a WEB page under a virtual directory, you can set different attributes for the directory, such as Read, Excute, and Script. Read access means to pass the directory content from IIS to the browser. Execute access to execute executable files in this directory. When you need to use ASP, you must set the directory of Your. asp file to "Excute (execution )". We recommend that you separate HTML files from ASP files in different directories when setting the WEB site, and set the HTML subdirectory to "read ", setting the ASP sub-directory as "execution" not only facilitates WEB management, but also improves ASP program security and prevents program content from being accessed by customers.

5 ASP Vulnerability Analysis and Solution
Some people say that a computer that does not contact the outside is the safest. A computer that closes all ports and does not provide any services is also the safest. Hackers often use open ports to launch attacks. The most common attacks are DDOS attacks ). below I will list more than 20 vulnerabilities in ASP, each of which has a vulnerability description and solution.

1. Add a special symbol after the ASP program to see the ASP source program.
Affected Versions:
Win95 + pws
IIS3.0
98 + pws4 does not have this vulnerability.
This vulnerability does not exist in IIS4.0 or later versions.
Problem description:
These special symbols include the decimal point, % 81: $ DATA. For example:
Http: // someurl/somepage. asp.
Http: // someurl/somepage. asp % 81
Http: // someurl/somepage. asp: $ DATA
Http: // someurl/somepage. asp % 2e
Http: // someurl/somepage % 2e % 41sp
Http: // someurl/somepage % 2e % asp
Http: // someurl/somepage. asp % 2e
Http: // someurl/msadc/samples/selector/showcode. asp? Source =/msadc/samples/.../../boot. ini (you can see the content of the boot. ini file)
The source program of somepage. asp is easy to see during the browsing of IIS3.0 and win95 + PWS installed. What is the cause of this terrible vulnerability? The root cause is that the file system exclusive to Windows NT is playing a strange role. People with a little knowledge know that NT provides a file system completely different from FAT: NTFS, a technology called the New Technology file system, which enables NT to have a high security mechanism, but it is precisely because of it that it has produced many headaches. As you may not know, NTFS supports multiple DATA streams contained in a file. The main DATA stream that contains all the content is called "DATA ", therefore, it is possible to easily capture script programs in files by directly accessing the NTFS system in a browser. However, the cause is: $ DATA is that IIS fails to parse the file name and does not properly regulate the file name.

Solution and suggestions:
If you are a Winodws NT user, install IIS4.0 or IIS5.0. Windows2000 does not have this problem. For win95 users, install WIN98 and PWS4.0.

2. ACCESS mdb database download Vulnerability
Problem description:
When using ACCESS as the background database, if someone knows or guesses through various methods
When the ACCESS database path and Database Name of the server are reached, it is very dangerous to download the ACCESS database file. For example, if your ACCESS database book. mdb is stored in the database directory under the virtual directory, someone will enter it in the browser:
Http: // someurl/database/book. mdb
If your book. mdb database is not encrypted in advance, all the important
Data is in the hands of others.
Solution:
(1) create a complex and unconventional name for your database file name and put it in a few
Directory. For example, if a database stores information about books, do not set up a book. mdb, such as d34ksfslf. mdb, and then put it in. in the/kdslf/i44/studi/directory, it is difficult for hackers to obtain your ACCESS database files by means of guesses.
(2) do not write the database name in the program. Some people like to write DSN in a program, such:

DBPath = Server. MapPath ("analytic dB. mdb ")
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; dbq =" & DBPath

If you get the source program, your ACCESS database name will be displayed at a glance. Therefore, we recommend that you set the data source in ODBC and write it in the program as follows:
Conn. open "shujiyuan"
(3) Use ACCESS to encode and encrypt database files. First, select "tool-> Security
Full-> encrypt/decrypt the database, select the database (for example, employer. mdb), and then click OK. Then, the window "Save the database encrypted and saved as: employer1.mdb" appears. Then employer. mdb will be encoded and stored as employer1.mdb ..
Note that the above actions are not to set a password for the database, but to encode the database files to prevent others from using other tools to view the contents of the database files.
Next, we encrypt the database. First, we open the encoded employer1.mdb, and select the "exclusive" mode when opening it. Choose tools> Security> set database password from the menu, and enter the password.
After the password is set for employer1.mdb, if the ACCEES database file is used again, ACCESS requires the password to be entered first, and the database can be started only after the authentication is correct.
However, you only need to add the PWD parameter to the open method of the connection object in ASP program. For example:
Param = "driver = {Microsoft Access Driver (*. mdb)}; Pwd = yfdsfs"
Param = param & "; dbq =" & server. mappath ("employer1.mdb ")
Conn. open param
In this way, even if someone else gets the employee 1.mdb file, he cannot see the employee 1.mdb without a password.

3 code. asp files may leak ASP code
Problem description:
For example, there is a. asp file in the ASP1.0 routine provided by Microsoft.
This file is used to view the source code of other. asp files. This file is ASPSamp/Samples/code. asp. If someone uploads the program to the server, and the server does not take any preventive measures, it is easy for someone else to view the program. For example:
Code. asp? Source =/directory/file. asp
However, this is an old vulnerability, and it is believed that this vulnerability will rarely occur.
The following command is relatively new:
Http: // someu