p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

security_asp thread: Security Issues with SSI's


Message #1 by "Matthew Murray" <m.murray@s...> on Fri, 10 Aug 2001 14:36:06
Ooo thanks for this.  Has given us food for thought.

Our security is predicated on the fact that you can only change pages from
"behind", i.e. not through the HTTP interface.

> -----Original Message-----
> From: Ken Schaefer [mailto:ken@a...]
> Sent: 15 August 2001 05:30
> To: Security_asp
> Subject: [security_asp] Re: Security Issues with SSI's
> 
> 
> All it takes is a bug that lets the client enter:
> 
> http://www.yourserver.com/scripts/../../../winnt/cmd.exe+/c etc...
> 
> Additionally, someone could change (or add) a webpage to your 
> site (suppose
> you use FPSE and they crack a password)  which did this:
> 
> <!-- #include file="../../boot.ini" -->
> 
> or similar - which would just plonk the contents of that file 
> into your
> webpage as plain text. Or possibly they could add a webpage 
> that used the
> FSO to grab files outside the webroot and copy them into the 
> webroot, where
> they could be downloaded...
> 
> In answer to your question, "Enable Parent Paths" is on by 
> default. It can
> (should) be turned off IMHO.
> 
> Cheers
> Ken
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ----- Original Message -----
> From: "Steve Carter" <Steve.Carter@t...>
> To: "Security_asp" <security_asp@p...>
> Sent: Tuesday, August 14, 2001 7:04 PM
> Subject: [security_asp] Re: Security Issues with SSI's
> 
> 
> : That's true, but the web user cannot, only the ASP script.
> :
> : Is 'parent paths' a default?  We haven't changed such a setting IIRC
> :
> : > -----Original Message-----
> : > From: Ken Schaefer [mailto:ken@a...]
> : > Sent: 14 August 2001 03:22
> : > To: Security_asp
> : > Subject: [security_asp] Re: Security Issues with SSI's
> : >
> : >
> : > Only if you enable parent paths - but this can be a security
> : > problem in
> : > itself, because if your webpages can get outside the WWW root, to
> : > c:\my_site\includes  then they can also get to c:\winnt\
> : >
> : > Cheers
> : > Ken
> : >
> : > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> : > ----- Original Message -----
> : > From: "Steve Carter" <Steve.Carter@t...>
> : > To: "Security_asp" <security_asp@p...>
> : > Sent: Monday, August 13, 2001 9:21 PM
> : > Subject: [security_asp] Re: Security Issues with SSI's
> : >
> : >
> : > : Also, if you use #include file= (rather that #include
> : > : virtual=) then your
> : > : includes don't have to be in the servable area of your 
> site, thus
> : > : preventing people from requesting them directly anyway, e.g.
> : > :
> : > : my_site/wwwroot  <- in here goes default.asp and so-on.
> : > : my_site/includes <- this is not accessible thru the web
> : > : server, but you can get to it with #include file
> : > :

  Return to Index