|
|
You're in the
iis security
group:Protecting asp include files
iis security:
stumble across one, causing who knows what to happen. As a first step, I want to rename all the include files from .asp to .inc. Then I want to lock down IIS so that users will get a 404 error whenever they try to access a inc file. 1. Is this a reasonable course of action? 2. If so, how to I tell IIS to not expose inc files. Note: I cannot move any file. Our directory structure is too well established. Also, I have over 5000 asp files, so I cannot simply make sure the include files will fail safely. -- Jonathan Allen
[quoted text, click to view]
> I would keep the asp extension. *.asp files will be executed on the server, > and will not be exposed as clear text to the user. The problem is I don't want them to be executed. Example... /main.asp /include_dbAccess.asp If someone were to type... http://mycompany/main.asp ....then include_dbAccess.asp will get executed safely. If someone were to type... http://mycompany/include_dbAccess.asp ....then include_dbAccess.asp will be executed in an untested way and something really bad might happen. -- Jonathan Allen [quoted text, click to view] "Kristofer Gafvert" <kgafvert@NEWSilopia.com> wrote in message news:%2398wgBxpEHA.2900@TK2MSFTNGP12.phx.gbl... > Hello, > > I would keep the asp extension. *.asp files will be executed on the server, > and will not be exposed as clear text to the user. > > -- > Regards, > Kristofer Gafvert > http://www.ilopia.com > > > "Jonathan Allen" <x@x.x> wrote in message > news:%23V$fowwpEHA.324@TK2MSFTNGP11.phx.gbl... > > I need a way to protect asp include files. My fear is that a user may > > stumble across one, causing who knows what to happen. > > > > As a first step, I want to rename all the include files from .asp to ..inc. > > Then I want to lock down IIS so that users will get a 404 error whenever > > they try to access a inc file. > > > > 1. Is this a reasonable course of action? > > 2. If so, how to I tell IIS to not expose inc files. > > > > Note: I cannot move any file. Our directory structure is too well > > established. Also, I have over 5000 asp files, so I cannot simply make > sure > > the include files will fail safely. > > > > -- > > Jonathan Allen > > > > > > > >
[quoted text, click to view]
> "Somehting really bad" would happen either way. The action of a > script doesn't change just because you included it. It can. For example, say the include file does something based on form variables. But the code to ensure that the form variables are valid is in a different file. (Yea, I know this is a bad way to write code, but it already exists and I'm just trying to minimize damage.) [quoted text, click to view] > fix your included files so "something > really bad" doesn't happen. I would like to, but there are over 5000 files. It is going to be a long road. -- Jonathan Allen [quoted text, click to view] "Jeff Cochran" <jeff.nospam@zina.com> wrote in message news:41626b30.556728933@msnews.microsoft.com... > On Thu, 30 Sep 2004 12:04:08 -0700, "Jonathan Allen" <x@x.x> wrote: > > >> I would keep the asp extension. *.asp files will be executed on the > >server, > >> and will not be exposed as clear text to the user. > > > >The problem is I don't want them to be executed. Example... > > > >/main.asp > >/include_dbAccess.asp > > > >If someone were to type... > > http://mycompany/main.asp > >...then include_dbAccess.asp will get executed safely. > > > >If someone were to type... > > http://mycompany/include_dbAccess.asp > >...then include_dbAccess.asp will be executed in an untested way and > >something really bad might happen. > > "Somehting really bad" would happen either way. The action of a > script doesn't change just because you included it. > > Either use the URLScan method of stopping .inc files from being sent > to the browser as text, or fix your included files so "something > really bad" doesn't happen. > > Jeff
Hello,
I would keep the asp extension. *.asp files will be executed on the server, and will not be exposed as clear text to the user. -- Regards, Kristofer Gafvert http://www.ilopia.com [quoted text, click to view] "Jonathan Allen" <x@x.x> wrote in message news:%23V$fowwpEHA.324@TK2MSFTNGP11.phx.gbl... > I need a way to protect asp include files. My fear is that a user may > stumble across one, causing who knows what to happen. > > As a first step, I want to rename all the include files from .asp to .inc. > Then I want to lock down IIS so that users will get a 404 error whenever > they try to access a inc file. > > 1. Is this a reasonable course of action? > 2. If so, how to I tell IIS to not expose inc files. > > Note: I cannot move any file. Our directory structure is too well > established. Also, I have over 5000 asp files, so I cannot simply make sure > the include files will fail safely. > > -- > Jonathan Allen > > >
[quoted text, click to view]
On Thu, 30 Sep 2004 12:04:08 -0700, "Jonathan Allen" <x@x.x> wrote: >> I would keep the asp extension. *.asp files will be executed on the >server, >> and will not be exposed as clear text to the user. > >The problem is I don't want them to be executed. Example... > >/main.asp >/include_dbAccess.asp > >If someone were to type... > http://mycompany/main.asp >...then include_dbAccess.asp will get executed safely. > >If someone were to type... > http://mycompany/include_dbAccess.asp >...then include_dbAccess.asp will be executed in an untested way and >something really bad might happen. "Somehting really bad" would happen either way. The action of a script doesn't change just because you included it. Either use the URLScan method of stopping .inc files from being sent to the browser as text, or fix your included files so "something really bad" doesn't happen.
Okay.
So, install URLScan, and prevent the extension .inc. "How to configure the URLScan Tool" http://support.microsoft.com/default.aspx?scid=kb;EN-US;326444 -- Regards, Kristofer Gafvert http://www.ilopia.com [quoted text, click to view] "Jonathan Allen" <x@x.x> wrote in message news:uqkETHypEHA.1688@TK2MSFTNGP10.phx.gbl... > > I would keep the asp extension. *.asp files will be executed on the > server, > > and will not be exposed as clear text to the user. > > The problem is I don't want them to be executed. Example... > > /main.asp > /include_dbAccess.asp > > If someone were to type... > http://mycompany/main.asp > ...then include_dbAccess.asp will get executed safely. > > If someone were to type... > http://mycompany/include_dbAccess.asp > ...then include_dbAccess.asp will be executed in an untested way and > something really bad might happen. > > -- > Jonathan Allen > > > "Kristofer Gafvert" <kgafvert@NEWSilopia.com> wrote in message > news:%2398wgBxpEHA.2900@TK2MSFTNGP12.phx.gbl... > > Hello, > > > > I would keep the asp extension. *.asp files will be executed on the > server, > > and will not be exposed as clear text to the user. > > > > -- > > Regards, > > Kristofer Gafvert > > http://www.ilopia.com > > > > > > "Jonathan Allen" <x@x.x> wrote in message > > news:%23V$fowwpEHA.324@TK2MSFTNGP11.phx.gbl... > > > I need a way to protect asp include files. My fear is that a user may > > > stumble across one, causing who knows what to happen. > > > > > > As a first step, I want to rename all the include files from .asp to > .inc. > > > Then I want to lock down IIS so that users will get a 404 error whenever > > > they try to access a inc file. > > > > > > 1. Is this a reasonable course of action? > > > 2. If so, how to I tell IIS to not expose inc files. > > > > > > Note: I cannot move any file. Our directory structure is too well > > > established. Also, I have over 5000 asp files, so I cannot simply make > > sure > > > the include files will fail safely. > > > > > > -- > > > Jonathan Allen > > > > > > > > > > > > > > >
[quoted text, click to view]
On Thu, 30 Sep 2004 13:32:54 -0700, "Jonathan Allen" <x@x.x> wrote: >> "Somehting really bad" would happen either way. The action of a >> script doesn't change just because you included it. > >It can. For example, say the include file does something based on form >variables. But the code to ensure that the form variables are valid is in a >different file. Launching the inlcude alone wouldn't also launch the form that provides the variables, would it? [quoted text, click to view] >(Yea, I know this is a bad way to write code, but it already exists and I'm >just trying to minimize damage.) It's also not terribly efficient, at least in most instances. Includes are for repetitive code, usually subroutines or functions, not for something like reacting to form input (with the exception of a routine to verify/purge input maybe). [quoted text, click to view] >> fix your included files so "something >> really bad" doesn't happen. > >I would like to, but there are over 5000 files. It is going to be a long >road. It will either way. That's one of the joys of redoing your programming techniques in mid production. But start on the easier and more used ones and you'll accomplish something.
Start refactoring your include files so that they contain routines
(functions/subs) or classes only. Then if someone requests one of these files, nothing "bad" will ever happen, as there is no call to any of these things. Cheers Ken [quoted text, click to view] "Jonathan Allen" <x@x.x> wrote in message news:%23m4bpzypEHA.1300@TK2MSFTNGP12.phx.gbl... >> "Somehting really bad" would happen either way. The action of a >> script doesn't change just because you included it. > > It can. For example, say the include file does something based on form > variables. But the code to ensure that the form variables are valid is in > a > different file. > > (Yea, I know this is a bad way to write code, but it already exists and > I'm > just trying to minimize damage.) > >> fix your included files so "something >> really bad" doesn't happen. > > I would like to, but there are over 5000 files. It is going to be a long > road. > > -- > Jonathan Allen > > > "Jeff Cochran" <jeff.nospam@zina.com> wrote in message > news:41626b30.556728933@msnews.microsoft.com... >> On Thu, 30 Sep 2004 12:04:08 -0700, "Jonathan Allen" <x@x.x> wrote: >> >> >> I would keep the asp extension. *.asp files will be executed on the >> >server, >> >> and will not be exposed as clear text to the user. >> > >> >The problem is I don't want them to be executed. Example... >> > >> >/main.asp >> >/include_dbAccess.asp >> > >> >If someone were to type... >> > http://mycompany/main.asp >> >...then include_dbAccess.asp will get executed safely. >> > >> >If someone were to type... >> > http://mycompany/include_dbAccess.asp >> >...then include_dbAccess.asp will be executed in an untested way and >> >something really bad might happen. >> >> "Somehting really bad" would happen either way. The action of a >> script doesn't change just because you included it. >> >> Either use the URLScan method of stopping .inc files from being sent >> to the browser as text, or fix your included files so "something >> really bad" doesn't happen. >> >> Jeff > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |