Whether you don't believe in, through the ASP, you may easily invade Web Server, steal the files on the server, capture the user passwords such as the Web database, and even maliciously delete the files on the server until the system is damaged, these Non-shooting and independently, this article will reveal the vulnerabilities of these ASPs one by one, and propose some prevention opinions.
In the previous one, I will give you a question about "How to make a page display when Ado Access Database". If you have a friend, I will tell me an important parameter "pagecount" that I ignore the RECORDSET object when calculating the total number of pages. It can be Automatically derive the total number of pages after assigning the value, without having to use "rs.recordcount / pgsz * -1) * - 1" such a cumbersome formula. I would like to thank this friend enthusiastic to tell me the shortcomings in the program. Because this program is written for a long time, because the total number of records in the page display is not necessarily the number of records, I am again Can't affirm whether PageCount can get the number of pages, so we wrote this formula :), tell the truth, I have never tried to use PageCount, I have to try it, I can learn my. Lazy.
I recently discussed questions on ChinaASP's BBS, I found that many friends didn't understand some of the security issues of ASP. I didn't even know how to solve the most common ASP :: $ data showing the source code, so I think it is necessary. Here, I will focus on this problem here. Under the consent of ChinaASP bird, I will have written him about the introduction of the ASP vulnerability, and I have some of my own practical experience to give you a detailed analysis. ASP security issues vital for WebMaster.
When last year:: $ DATA's vulnerability was discovered and announced, I have detected some sites in most domestic use ASPs, one percent of ninety-nine, can see the source code, I even Grasped the source code for Search.asp file on Microsoft's site. Maybe you feel that there is nothing wrong with seeing the source code. If you want to be a Webmaster, you want to make a mistake. For example, if the ASP programmer writes the site's login password directly in the ASP, once the source code is discovered, others can easily enter the page that should not be seen, I used this method to be a charge for free Members of the website (everyone can don't reveal me!), And many database connecting usernames and passwords are also written directly in ASP, once found, if your database allows remote access and no fortune is quite dangerous. In some BBS programs developed with ASP, the Access MDB library is often used. If the path of MDB inventory is known, the database is likely to be downloaded by others, plus the password in the database is not encrypted, that is very dangerous If you get the password, if you are interested in malicious destruction, he only needs to delete the post in all BBS as an admin, it is enough. Some of the vulnerabilities that have been discovered now, I hope that everyone will be vigilant. After experimenting, we found that the ASP program on Win95 PWS is only necessary to simply add a decimal point ASP program after the browser address bar. Will be downloaded. IIS3 also has the same problem, if you are still using IIS3, you must test it.
Second, IIS2, IIS3, IIS4 is a wide-known vulnerability is: $ data, can easily see the ASP code directly by using the view source or Netscape using IE to directly access the ASP file. Win98 PWS4 does not exist this vulnerability. What is the reason for this terrible vulnerability? The root cause is actually the Windows NT-specific file system is doing strange. One of the common sense knows that in NT provides a file system completely different from FAT: NTFS, this technique called new technology file system makes NT have a high security mechanism, but it is because It has produced a lot of hazardous hazards. Everyone may not know that NTFS supports the multi-basis flow in a file, and this main data stream containing all content is called "data", so it makes it easy to access this characteristic of the NTFS system directly in the browser. The capture of the script in the file is possible. However, the reason for: $ data is due to the problem of IIS when the file name is analyzed, it does not standardize the file name.
How should we solve this problem? There are several ways:
A. Set the directory stored by the .asp file to be unreadable (ASP can still be executed), so that HTML, CSS and other files cannot be placed in this directory, otherwise they will not be browsed.
B. It is the patch provided by Microsoft, downloaded the address as follows (note that there are different patches for different systems):
This patch is for IIS3, Intel platform
FTP.Microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis3-datafix/iis3fixi.exe
This patch is for IIS3, Intel platform
FTP.Microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis3-datafix/iis3fixa.exe
This patch is for IIS4, ALPHA platform
FTP.Microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis4-datafix/iis4fixi.exe
This patch is for IIS4, ALPHA platform
FTP.Microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis4-datafix/iis4fixa.exe
c. Install IE4.01SP1 on the server. Is this effective, the author I have tried it.
D, the personal opinion of the author, try to install the English version of NT, not to use the Chinese version, the author is not clear, just according to the practical experience English version of NT is less, if a friend knows Reason, I have to tell me.
III. Issues that support the free homepage space of ASP and the server of the virtual host service
1. The ASP code on the server is likely to be illegally acquired by other people with ASP privileges.
For a very simple example, there is a .asp file in the ASP1.0 of Microsoft, which is specifically used to view the source code for other .asp files, which is aspsamp / samples / code.asp. If someone puts the server uploaded by this program, he can easily view the procedure of others.
E.g :
Code.asp? Source = / Directory / File.asp
2, use the Access MDB database may be downloaded Generally, it is not possible to provide a service for setting DSN on the free home server providing ASP privilege, so the database used by the ASP program is usually limited to using the MDB library, while MDB far The location of the DB database is specified using the DSN-Less method we talled in the 14th period, the method is as follows: <% connStr = "dbq =" server.mAppath ("Database / source.mdb ") "; DefaultDir =; DRIVER = {Microsoft Access Driver (* .mdb)}; DriverId = 25; FIL = MS Access; ImplicitCommitSync = Yes; MaxBufferSize = 512; MaxScanRows = 8; PageTimeout = 5; SafeTransactions = 0; Threads = 3; usercommitsync = yes; "%>
As mentioned earlier, in this case MDB library is likely to be downloaded by others, resulting in leaks such as passwords.
Therefore, as WebMaster should take certain measures to prohibit code.asp (it seems difficult to do, but can retrieve the feature code on a regular basis), limit the MDB download.
3, threats from powerful FileSystemObject components
IIS3, IIS4 ASP file operations can be implemented through the FileSystemObject, including the read and write directory operation of the text file, the copy of the file is changed, but this powerful function has also left very dangerous "back door". Use FileSystemObjet to tamper with any files on the FAT partition. Even if the NTFS partition, if the permissions are not set, it can also destroy, and you may suffer from the disaster of the top. Unfortunately, a lot of WebMaster only knows that the web server is running, and rarely performs permission settings, and the default setting of NT directory permissions is low and terrible. So if you are webmaster, the author strongly recommends that you pay close attention to the server settings, try to build the web directory in the NTFS partition, do not set the Everyone Full Control, even if it is a member of the administrator group, there is nothing necessary Full Control, As long as you read, change the permissions is enough.
4. ASP application may face the past Many Internet's CGI written message or BBS is to turn the message entered into a variable, then insert this variable into the HTML file displayed message, so the text entered To make the HTML standard in the HTML file, the CGI program is generally added to a specific HTML language. When the customer enters content, when inserting an HTML file, it is inserted into the head HTML statement, such as:
The variable entered by the customer But if you give the HTML tag, you can do a lot.
Play it when you enter:
before and after the HTML standard is used by HTML statements in the CGI. The inserted html file is turned:
Formula Because of such a feature, it makes it easy to write a JavaScript's dead loop, as long as entering: or Other browsers who view this message are dead due to dead cycles. The procedures for ASP development may also exist, so when you use ASP to write similar programs, you should do a good job in this type of operation, such as writing a program to determine the client's input, and shield all HTML, JavaScript statements.
After reading this period, if you are shocked, then you must completely check your existing website or ASP program to see if there is the above vulnerability. If you have a well-being, you have enough countermeasures to congratulations on your vulnerability, you still want to view your website and ASP programs while you have a database, so if you have a database. Antiharms use some of our unknown vulnerabilities to attack. Finally, if you have any unique insights on the ASP security issues discussed in this article, or have new discovery on the vulnerability, I hope to come to the same way.
