Server|web This paper mainly describes the security problems of Asp/iis and the corresponding countermeasures, do not advocate the use of this article mentioned
method to do any damage, or else bring the consequences to the conceited
Through ASP intrusion Web server, steal file Destroy system, this is not sensational ...
Security issues with IIS
1.IIS3/PWS's vulnerability
I have experimented, WIN95+PWS running ASP program, only need to add a decimal point in the browser address bar
The ASP program will be downloaded. IIS3 heard that the same problem, but I did not try to come out.
2.IIS4 's vulnerability
IIS4 a widely known vulnerability is:: $DATA, is the ASP's URL after adding these characters, code
Can also be seen, using IE's view source to see the ASP code. Win98+pws4 doesn't have that problem.
There are several solutions, one is to set the directory to be unreadable (ASP can still execute), so that the HTML file
Cannot be placed in this directory, otherwise HTML cannot be browsed. The second is to install the patch program provided by Microsoft. Three is
Install IE4.01SP1 on the server.
3. Problems in support of ASP's free homepage
Your ASP code may be available to someone.
ASP1.0 's example has a file to view the ASP's original code,/aspsamp/samples/code.asp
If someone put this program up, he can check other people's programs.
For example: code.asp?source=/someone/aaa.asp
The Access database you use may be downloaded by someone
Since the ASP program can be people get, others can easily know where your database is placed,
and download it, if the database contains the password is not encrypted, that ... It's dangerous.
Webmaster should take certain measures to prohibit the code.asp such procedures (it seems difficult to do,
However, you can periodically retrieve the signature code) to restrict the download of the MDB (No, NO)
4. Threats from the FileSystemObject
IIS4 ASP's file operations can be implemented through FileSystemObject, including reading and writing of text files
Directory operations, file copy renamed Delete, etc., but this dongdong is also very dangerous. Using Filesystemobjet
You can tamper with downloading any file on a FAT partition, even NTFS, if permissions are not set, you can also
Destruction, unfortunately many webmaster only know that the Web server is running, and NTFS is rarely set for permissions.
For example, a Web server that provides virtual hosting services, if permissions are not set, users can
Easily tamper with deleting any files on the machine and even let NT crash.
Program please refer to Active Server Explorer on the http://www.pridechina.com/chinaasp/
This program can browse all files and directories of the unprotected Web server.
Webmater should have web directories built on NTFS partitions, not web directories do not use the Everyone full
control, and it should be the administrator who can control it.