Re: Major Security Hole IIS NT

This WebDNA talk-list message is from

1998


It keeps the original formatting.
numero = 18630
interpreted = N
texte = And who could possible do that to all of their sites and all the tpl/asp/etc. My god what an awful patch to an ugly problem. Not to mention the customers who lease space on our servers. -----Original Message----- From: Raymond Hatch To: WebDNA-Talk@smithmicro.com Date: Thursday, July 02, 1998 4:47 PM Subject: Re: Major Security Hole IIS NT >great idea but unfortunately the include tag will point to the file >location that they can go to and look at it there. > >Ray > >At 04:04 PM 7/2/98, you wrote: >>Another work around is to creat a file that has the search code it it and >>use the include tad. That way all they will see is the tag. >> >> >> >>At 11:13 AM 7/2/98, you wrote: >>>IIS reveals all special CGI Code >>> >>>Think no one can read your contextual searches, think again. >>> >>>Hit your webpage on an IIS server >>> >>>like http://www.yourdomain.com/special.tpl >>> >>>now try it like this >>> >>>http://www.yourdomain.com/special.tpl::$DATA >>> >>>All source code is revealed, even the special webdna data, >>> >>>this applies to all special CGI's running on IIS like ASP and Pearl. Try it. >>>Hit your favorite microsoft server and add the url ::$DATA and you will see >>>the special source code. >>> >>>Look here, this page is running Microsofts ASP and you can read it all. >>> >>>heheheh Pretty cool >>> >>>http://backoffice.microsoft.com/downtrial/default.asp::$DATA >>> >>>bummer is it also works on .tpl and the rest as well, I don't know about the >>>encrypted pages available with 3.0 but I would be interested in hearing from >>>others. >>> >>>Robert Minor >>>Cybermill Communications >>> >> > >Webmaster >Mind Information Systems > > >http://www.mindinfo.com > Associated Messages, from the most recent to the oldest:

    
  1. Re: Major Security Hole IIS NT (Bob Minor 1998)
  2. Re: Major Security Hole IIS NT (greg 1998)
  3. Re: Major Security Hole IIS NT (Kenneth Grome 1998)
  4. Re: Major Security Hole IIS NT (Kenneth Grome 1998)
  5. RE: Major Security Hole IIS NT (PCS Technical Support 1998)
  6. RE: Major Security Hole IIS NT (Olin 1998)
  7. Re: Major Security Hole IIS NT (Bob Minor 1998)
  8. Re: Major Security Hole IIS NT (PCS Technical Support 1998)
  9. Re: Major Security Hole IIS NT (Bob Minor 1998)
  10. Re: Major Security Hole IIS NT (Peter Ostry 1998)
  11. Re: Major Security Hole IIS NT (Bob Minor 1998)
  12. Re: Major Security Hole IIS NT (Bob Minor 1998)
  13. Major Security Hole IIS NT (Bob Minor 1998)
  14. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  15. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  16. Re: Major Security Hole IIS NT (Chuck Wall 1998)
  17. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  18. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  19. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  20. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
And who could possible do that to all of their sites and all the tpl/asp/etc. My god what an awful patch to an ugly problem. Not to mention the customers who lease space on our servers. -----Original Message----- From: Raymond Hatch To: WebDNA-Talk@smithmicro.com Date: Thursday, July 02, 1998 4:47 PM Subject: Re: Major Security Hole IIS NT >great idea but unfortunately the include tag will point to the file >location that they can go to and look at it there. > >Ray > >At 04:04 PM 7/2/98, you wrote: >>Another work around is to creat a file that has the search code it it and >>use the include tad. That way all they will see is the tag. >> >> >> >>At 11:13 AM 7/2/98, you wrote: >>>IIS reveals all special CGI Code >>> >>>Think no one can read your contextual searches, think again. >>> >>>Hit your webpage on an IIS server >>> >>>like http://www.yourdomain.com/special.tpl >>> >>>now try it like this >>> >>>http://www.yourdomain.com/special.tpl::$DATA >>> >>>All source code is revealed, even the special webdna data, >>> >>>this applies to all special CGI's running on IIS like ASP and Pearl. Try it. >>>Hit your favorite microsoft server and add the url ::$DATA and you will see >>>the special source code. >>> >>>Look here, this page is running Microsofts ASP and you can read it all. >>> >>>heheheh Pretty cool >>> >>>http://backoffice.microsoft.com/downtrial/default.asp::$DATA >>> >>>bummer is it also works on .tpl and the rest as well, I don't know about the >>>encrypted pages available with 3.0 but I would be interested in hearing from >>>others. >>> >>>Robert Minor >>>Cybermill Communications >>> >> > >Webmaster >Mind Information Systems > > >http://www.mindinfo.com > Bob Minor

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

feature request.... [stop] (2000) PCS Emailer's role ? (1997) MacOS X Server 1.2 Netnameserver conflict (2001) sort problems....bug or brain fart? (1997) Web Developer Product Awards (1997) Mozilla/4. and Browser Info.txt (1997) WebCat2b15MacPlugin - [protect] (1997) [WebDNA] HTTP Streaming -- impossible? (2010) HTTP upload (2000) creating a ShipCosts database (1997) [WebDNA] [random] limit 1-10 (2010) Dates (1998) Dummy Credit Card Number for debug? (1997) same product in cart (1997) WebCat2_Mac RETURNs in .db (1997) Stopping NT WebCat service (1998) Search returns all, not 20 (1997) Sorting alphabetical (2003) normal users.db calls ... (1998) [math] with first letter in field? (1997)