ASP scripts create temporary files that aren't automatically removed
----------------------------------------------------------------------------
----
SUMMARY
Active server pages (ASP) with runtime errors expose a security hole that
publishes the full source code name to the caller. If these scripts are
published on the Internet before the programmer fully debugs them, major
search engines might index them. These indexed ASP pages can be then
located with a simple search. The search results publish the full path and
file name for the ASP scripts, and this URL can be viewed in a browser and
may reveal full source code with details of the business logic, database
location and structure, and possibly even usernames and passwords that are
present in the raw ASP page.
DETAILS
How to find those files via Search engines:
- In the AltaVista search engine execute a search for: +"Microsoft
VBScript runtime error" +".inc, "
- Look for search results that include the full path and filename for an
include (.inc) file.
- Append the include filename to the host name and call this up in a web
browser.
Example: www.example.com/stationery/browser.inc
Examples:
There are a huge number of examples on the web.
Resolution:
- Programmers should fully debug their ASP scripts before publishing them
on the web
- Administrators need to secure the ASP include files so that external
users will not be able to view them.
ADDITIONAL INFORMATION
The information was provided by: <mailto:[EMAIL PROTECTED]> Jerry Walsh.
========================================
-------
AFLHI 058009990407128029/089802---(102598//991024)
- Kirim bunga untuk handaitaulan & relasi di jakarta www.indokado.com
-- Situs sulap pertama di Indonesia http://www.impact.or.id/dmc-sulap/
To unsubscribe, e-mail : [EMAIL PROTECTED]
To subscribe, e-mail : [EMAIL PROTECTED]
Netika BerInternet : [EMAIL PROTECTED]
