Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Aside: ability to view ASP/ColdFusion code

  • From: Andrew Staples
  • Date: Thu Jul 02 14:09:43 1998

This applies as well to perl and cgi scripts (cgi in iis3.0)

For example:
http://www.activestate.com/lyris/lyris.pl::$DATA

MS hasn't fixed their own site (heh), but they promise a fix today.
http://www.microsoft.com/default.asp::$DATA

In the meantime, Christoph Wille <Christoph.Wille@softwing.com> from Sofwing
has graciously
made available an IIS ISAPI filter that will protect a site from the ::$DATA
vulnerability. You can find it at
http://www.softwing.com/iisdev/ddatafix/

Andrew

-----Original Message-----
From: Manar Hussain <manar@ivision.co.uk>


>This isn't really a NANOG issue so I'll keep it brief - I'm mentioning it
>as it's something people here may well want to consider and pass on to
>customers with NT servers.
>
>Another MS security whole allows people to access the code for
>ASP/ASA/ColdFusion pages by adding ::$data to the URL.
>
>E.g.
>
>http://www.allaire.com/handlers/index.cfm::$DATA
>
>http://www.watford.co.uk/global.asa::$DATA
>
>http://www.datareturn.com/av-asp.asp::$DATA
>
>I understand that using SiteServer or making the file non-readable (but
>retaining execute permissions!) "solves" the problem.
>
>Regards,
>
>Manar





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.