Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Aside: ability to view ASP/ColdFusion code

  • From: Manar Hussain
  • Date: Thu Jul 02 11:43:22 1998

This isn't really a NANOG issue so I'll keep it brief - I'm mentioning it
as it's something people here may well want to consider and pass on to
customers with NT servers.

Another MS security whole allows people to access the code for
ASP/ASA/ColdFusion pages by adding ::$data to the URL.

E.g.

http://www.allaire.com/handlers/index.cfm::$DATA

http://www.watford.co.uk/global.asa::$DATA

http://www.datareturn.com/av-asp.asp::$DATA

I understand that using SiteServer or making the file non-readable (but
retaining execute permissions!) "solves" the problem.

Regards,

Manar




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.