Re: Major Security Hole IIS NT
This WebDNA talk-list message is from 1998
It keeps the original formatting.
numero = 18605
interpreted = N
texte = great idea but unfortunately the include tag will point to the filelocation that they can go to and look at it there.RayAt 04:04 PM 7/2/98, you wrote:>Another work around is to creat a file that has the search code it it and>use the include tad. That way all they will see is the tag.>>>>At 11:13 AM 7/2/98, you wrote:>>IIS reveals all special CGI Code>>>>Think no one can read your contextual searches, think again.>>>>Hit your webpage on an IIS server>>>>like http://www.yourdomain.com/special.tpl>>>>now try it like this>>>>http://www.yourdomain.com/special.tpl::$DATA>>>>All source code is revealed, even the special webdna data,>>>>this applies to all special CGI's running on IIS like ASP and Pearl. Try it.>>Hit your favorite microsoft server and add the url ::$DATA and you will see>>the special source code.>>>>Look here, this page is running Microsofts ASP and you can read it all.>>>>heheheh Pretty cool>>>>http://backoffice.microsoft.com/downtrial/default.asp::$DATA>>>>bummer is it also works on .tpl and the rest as well, I don't know about the>>encrypted pages available with 3.0 but I would be interested in hearing from>>others.>>>>Robert Minor>>Cybermill Communications>> > WebmasterMind Information Systemshttp://www.mindinfo.com
Associated Messages, from the most recent to the oldest:
great idea but unfortunately the include tag will point to the filelocation that they can go to and look at it there.RayAt 04:04 PM 7/2/98, you wrote:>Another work around is to creat a file that has the search code it it and>use the include tad. That way all they will see is the tag.>>>>At 11:13 AM 7/2/98, you wrote:>>IIS reveals all special CGI Code>>>>Think no one can read your contextual searches, think again.>>>>Hit your webpage on an IIS server>>>>like http://www.yourdomain.com/special.tpl>>>>now try it like this>>>>http://www.yourdomain.com/special.tpl::$DATA>>>>All source code is revealed, even the special webdna data,>>>>this applies to all special CGI's running on IIS like ASP and Pearl. Try it.>>Hit your favorite microsoft server and add the url ::$DATA and you will see>>the special source code.>>>>Look here, this page is running Microsofts ASP and you can read it all.>>>>heheheh Pretty cool>>>>http://backoffice.microsoft.com/downtrial/default.asp::$DATA>>>>bummer is it also works on .tpl and the rest as well, I don't know about the>>encrypted pages available with 3.0 but I would be interested in hearing from>>others.>>>>Robert Minor>>Cybermill Communications>> > WebmasterMind Information Systemshttp://www.mindinfo.com
Raymond Hatch
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
# fields limited? (1997)
Need help with emailer- 2 issues (1997)
Browser Back button (2003)
Keep away (1997)
Lookup Notfound (1998)
quit command on NT (1997)
ShipCost Data Base (1998)
Plugin or CGI or both (1997)
Multiple Pulldowns/Gary (1997)
New public beta available (1997)
SERIAL NUMBER BEING LOST AGAIN!!! (1999)
can WC render sites out? (1997)
PCS Frames (1997)
Euro WebDNA Conference (2004)
OT: Limit on # of Pulldown entries (1997)
.. more on sliding discounts... (1997)
Banners (1997)
Mac v. NT (1998)
WC2.0 Memory Requirements (1997)
Renaming TextA (1998)