Re: Can any programs download actual ASP content?
- From: Pierre Goiffon <pgoiffon@xxxxxxxxxxxxxxx>
- Date: Wed, 12 Oct 2005 09:37:12 +0200
Leif K-Brooks wrote:
I was talking to my host company representative this evening, and he thought that certain web crawlers (he mentioned Offline Explorer
/and/ Anawave WebSnake would be able to download the actual ASP pages
rather than simply downloading the page as modified by IIS.
There is no by-design way to do that.
True
There could potentially be security holes in IIS which would allow for direct file access
There were !
One of the most famous one was :
http://www.microsoft.com/technet/security/Bulletin/MS98-003.mspx (the well known $DATA hole)
But nowdays if you're using a well maintained server, there shouldn't be any risk about that.
However, it is still possible to open any file whose extension isn't mapped and located in a directory that is allowed to be readen. That is often a problem with *.inc (files included via SSI)... Note also if no custom ASP error message is defined, the default one includes the path of the concerned file - so it could include the path for the connexion.inc for exemple, which contains the name and password to connect to your database...
You could ask your host provider to disallow reading in a particular directory (IIS option, not to be confused with NTFS permissions) : the files in that directory could always be included in SSI, but any attempt to get them via the web server will be rejected.
.
- Follow-Ups:
- References:
- Re: Can any programs download actual ASP content?
- From: Leif K-Brooks
- Re: Can any programs download actual ASP content?
- Prev by Date: Re: HTML and XHTML
- Next by Date: Re: Can any programs download actual ASP content?
- Previous by thread: Re: Can any programs download actual ASP content?
- Next by thread: Re: Can any programs download actual ASP content?
- Index(es):
Relevant Pages
|
