North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Aside: ability to view ASP/ColdFusion code
- From: Andrew Staples
- Date: Thu Jul 02 14:09:43 1998
This applies as well to perl and cgi scripts (cgi in iis3.0)
MS hasn't fixed their own site (heh), but they promise a fix today.
In the meantime, Christoph Wille <Christoph.Wille@softwing.com> from Sofwing
made available an IIS ISAPI filter that will protect a site from the ::$DATA
vulnerability. You can find it at
From: Manar Hussain <email@example.com>
>This isn't really a NANOG issue so I'll keep it brief - I'm mentioning it
>as it's something people here may well want to consider and pass on to
>customers with NT servers.
>Another MS security whole allows people to access the code for
>ASP/ASA/ColdFusion pages by adding ::$data to the URL.
>I understand that using SiteServer or making the file non-readable (but
>retaining execute permissions!) "solves" the problem.