The solution is that a computer that is not connected to the outside is the safest computer, a computer that shuts down all the ports and does not provide any services is also the safest. Hackers often use me
Ports that are open to attack, the most common of these attacks is DDoS (denial of service attacks). Below I will list the ASP more than 20 vulnerabilities, each vulnerability can be traced
and solutions.
1 in the ASP program after adding a special symbol, can see the ASP source program
Affected version:
Win95+pws
IIS3.0
98+pws4 There is no such loophole.
There is no such loophole in the version above IIS4.0.
Problem Description:
These special symbols include the decimal point,%81,:: $DATA. Like what:
Http://someurl/somepage.asp.
http://someurl/somepage.asp%81
http://someurl/somepage.asp:: $DATA
http://someurl/somepage.asp%2e
http://someurl/somepage%2e%41sp
http://someurl/somepage%2e%asp
http://someurl/somepage.asp%2e
Http://someurl/msadc/samples/selector/showcode.asp?source=/msadc/samples/../../../../../../boot.ini (CAN
See the contents of the Boot.ini file)
Then it is easy to see the somepage.asp source program in the IIS3.0 and WIN95+PWS browsing. What is the cause of this terrible loophole?
The root of the problem is that Windows NT-specific file systems are doing strange things. People with a little common sense know that a file system that is completely different from FAT is provided in NT:
NTFS, the technology called New technology file system makes NT have a higher security mechanism, but it is because it caused a lot of headaches. Everyone
It may not be known that NTFS supports a majority stream in a file, and that the main data stream that contains all the content is called "data", so that the browser
It is possible to easily capture the script in a file by directly accessing this feature of the NTFS system. However the direct result:: $DATA reason is because IIS in
There was a problem parsing the filename, and it did not properly standardize the file name.
Solutions and Recommendations:
If it is a Winodws NT user, installing IIS4.0 or iis5.0,windows2000 does not have this problem. If you are a Win95 user, install WIN98 and PWS4.0.
2 vulnerabilities where ACCESS MDB databases may be downloaded
Problem Description:
When you use Access as a background database, if someone knows or guesses the path and database name of the server's Access database in various ways, then he can
It is very dangerous to download this Access database file. For example, if your Access database is Book.mdb under a virtual directory,
Someone in the browser to enter:
http://Someurl/database/book.mdb
If your Book.mdb database is not encrypted beforehand, all the important data in the Book.mdb is in the hands of others.
Workaround:
(1) Make a complicated unconventional name for your database file name and put it in a few eyes
Recorded. The so-called "unconventional", for example: there is a database to keep the information about books, but do not put him a "Book.mdb" name, a strange name
Say, like D34ksfslf.mdb, and then put him in a few layers of/kdslf/i44/studi/, so that hackers want to guess the way your Access database
Files are even harder.
。
(2) Do not write the database name in the program. Some people like to write DSN in a program, such as:
DBPath = Server.MapPath ("Cmddb.mdb")
Conn. Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath
If you get a source program, your Access database will have a glance in the name. Therefore, it is recommended that you set up a data source in ODBC and then write it in the program:
Conn.Open "Shujiyuan"
(3) Use Access to encode and encrypt the database files. First in the Select tool-> ann
Full-> Encrypt/Decrypt the database, select the database (such as: Employer.mdb), then confirm, then the "Database encrypted Save as" window, Save as:
Employer1.mdb. Then the employer.mdb will be encoded and stored as employer1.mdb.
Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view
The contents of the database file.
Next we encrypt the database, first by opening the encoded Employer1.mdb, and when we open it, select "Exclusive" mode. Then select the function table's tools-
> Security-> Set the database password, then enter the password.
After you have set a password for Employer1.mdb, then if you use the Accees database file again, Access asks for a password before it can be verified correctly.
Move the database.
However, to add PWD parameters to the Connection object's open method in an ASP program, for example:
param= "Driver={microsoft Access driver (*.mdb)}; Pwd=yfdsfs "
param=param& ";d bq=" &server.mappath ("Employer1.mdb")
Conn.Open param
So even if someone gets the Employer1.mdb file, he can't see Employer1.mdb without a password.