Re: Major Security Hole IIS NT
This WebDNA talk-list message is from 1998
It keeps the original formatting.
numero = 18630
interpreted = N
texte = And who could possible do that to all of their sites and all thetpl/asp/etc. My god what an awful patch to an ugly problem. Not to mentionthe customers who lease space on our servers.-----Original Message-----From: Raymond Hatch
To: WebDNA-Talk@smithmicro.com Date: Thursday, July 02, 1998 4:47 PMSubject: Re: Major Security Hole IIS NT>great idea but unfortunately the include tag will point to the file>location that they can go to and look at it there.>>Ray>>At 04:04 PM 7/2/98, you wrote:>>Another work around is to creat a file that has the search code it it and>>use the include tad. That way all they will see is the tag.>>>>>>>>At 11:13 AM 7/2/98, you wrote:>>>IIS reveals all special CGI Code>>>>>>Think no one can read your contextual searches, think again.>>>>>>Hit your webpage on an IIS server>>>>>>like http://www.yourdomain.com/special.tpl>>>>>>now try it like this>>>>>>http://www.yourdomain.com/special.tpl::$DATA>>>>>>All source code is revealed, even the special webdna data,>>>>>>this applies to all special CGI's running on IIS like ASP and Pearl. Tryit.>>>Hit your favorite microsoft server and add the url ::$DATA and you willsee>>>the special source code.>>>>>>Look here, this page is running Microsofts ASP and you can read it all.>>>>>>heheheh Pretty cool>>>>>>http://backoffice.microsoft.com/downtrial/default.asp::$DATA>>>>>>bummer is it also works on .tpl and the rest as well, I don't know aboutthe>>>encrypted pages available with 3.0 but I would be interested in hearingfrom>>>others.>>>>>>Robert Minor>>>Cybermill Communications>>>>>>>Webmaster>Mind Information Systems>>>http://www.mindinfo.com>
Associated Messages, from the most recent to the oldest:
And who could possible do that to all of their sites and all thetpl/asp/etc. My god what an awful patch to an ugly problem. Not to mentionthe customers who lease space on our servers.-----Original Message-----From: Raymond Hatch To: WebDNA-Talk@smithmicro.com Date: Thursday, July 02, 1998 4:47 PMSubject: Re: Major Security Hole IIS NT>great idea but unfortunately the include tag will point to the file>location that they can go to and look at it there.>>Ray>>At 04:04 PM 7/2/98, you wrote:>>Another work around is to creat a file that has the search code it it and>>use the include tad. That way all they will see is the tag.>>>>>>>>At 11:13 AM 7/2/98, you wrote:>>>IIS reveals all special CGI Code>>>>>>Think no one can read your contextual searches, think again.>>>>>>Hit your webpage on an IIS server>>>>>>like http://www.yourdomain.com/special.tpl>>>>>>now try it like this>>>>>>http://www.yourdomain.com/special.tpl::$DATA>>>>>>All source code is revealed, even the special webdna data,>>>>>>this applies to all special CGI's running on IIS like ASP and Pearl. Tryit.>>>Hit your favorite microsoft server and add the url ::$DATA and you willsee>>>the special source code.>>>>>>Look here, this page is running Microsofts ASP and you can read it all.>>>>>>heheheh Pretty cool>>>>>>http://backoffice.microsoft.com/downtrial/default.asp::$DATA>>>>>>bummer is it also works on .tpl and the rest as well, I don't know aboutthe>>>encrypted pages available with 3.0 but I would be interested in hearingfrom>>>others.>>>>>>Robert Minor>>>Cybermill Communications>>>>>>>Webmaster>Mind Information Systems>>>http://www.mindinfo.com>
Bob Minor
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
feature request.... [stop] (2000)
PCS Emailer's role ? (1997)
MacOS X Server 1.2 Netnameserver conflict (2001)
sort problems....bug or brain fart? (1997)
Web Developer Product Awards (1997)
Mozilla/4. and Browser Info.txt (1997)
WebCat2b15MacPlugin - [protect] (1997)
[WebDNA] HTTP Streaming -- impossible? (2010)
HTTP upload (2000)
creating a ShipCosts database (1997)
[WebDNA] [random] limit 1-10 (2010)
Dates (1998)
Dummy Credit Card Number for debug? (1997)
same product in cart (1997)
WebCat2_Mac RETURNs in .db (1997)
Stopping NT WebCat service (1998)
Search returns all, not 20 (1997)
Sorting alphabetical (2003)
normal users.db calls ... (1998)
[math] with first letter in field? (1997)