Blocking ASP Vulnerabilities

Whether you believe it or not, through the ASP, it may be easy to invade the Web server, the theft of files on the server, capture the Web database, such as the user password, or even malicious delete files on the server until the system damage, these are not sensational, and indeed have happened, This article will give you one by one to reveal the vulnerabilities of these ASP, and put forward some preventive advice.
In the last article, we focus on the "ADO access to the database how to page display" problem, a friend sent me a letter pointing out that I ignored an important parameter "PageCount" of the Recordset object when calculating the total number of pages, and it can automatically calculate the total number of pages after assigning a value to Pagesize. Without the use of "INT (rs.recordcount/pgsz*-1) *-1" Such a cumbersome formula. I would like to thank this friend for the zeal with which I pointed out the deficiencies in the procedure, since this program was written a long time ago, because the total number of records in the paging display does not necessarily divide the number of page display records, I am not sure whether PageCount can correctly draw the number of pages, So lazy wrote this formula: To tell the truth I have not tried to use PageCount, interested friends must try oh, but do not learn my laziness.
Recently, when I was discussing a problem on the BBS of chinaasp, I found that many friends didn't know much about the security of ASP. Do not even know how to solve the most common asp:: $DATA Display source code problems, so I think it is very necessary to give a large number of friends here to talk about this issue, in obtaining Chinaasp Bird's consent, I will he has written a little bit about ASP vulnerabilities and some of my own practical experience to give you a detailed analysis of this for the webmaster important ASP security issues.
When last year:: $DATA vulnerability was found and announced the next day, I have detected most of the domestic use of ASP sites, of which 99% have the above can see the source code problem, I even in Microsoft's site grabbed the Search.asp this file source code. You may find that it's no big deal to see the source code, and if you're webmaster, you're wrong. For example, if the ASP programmer will site login password directly written in the ASP, then once the source code is found, others can easily enter the page should not be seen, I have used this method for free to become a toll site members (people do not expose me Oh!) , and many database connection username and password are written directly in the ASP, once discovered, if your database allows remote access and there is no fortification is very dangerous. In some of the BBS programs developed with ASP, often using an Access MDB library, if the path to the MDB inventory is known, the database is likely to be downloaded by others, and if the database contains a password is not encrypted, it is very dangerous, the person who gets the password if intentional malicious destruction, he only need to Admin Identity Login Delete all BBS in the post, enough you choke. Here is a list of some of the vulnerabilities that have been found, I hope everyone to improve vigilance one, after the experiment we found that the WIN95+PWS running ASP program, simply in the browser address bar ASP file name after adding a small number of ASP program will be downloaded down.