Re: Major Security Hole IIS NT
This WebDNA talk-list message is from 1998
It keeps the original formatting.
numero = 18630
interpreted = N
texte = And who could possible do that to all of their sites and all thetpl/asp/etc. My god what an awful patch to an ugly problem. Not to mentionthe customers who lease space on our servers.-----Original Message-----From: Raymond Hatch
To: WebDNA-Talk@smithmicro.com Date: Thursday, July 02, 1998 4:47 PMSubject: Re: Major Security Hole IIS NT>great idea but unfortunately the include tag will point to the file>location that they can go to and look at it there.>>Ray>>At 04:04 PM 7/2/98, you wrote:>>Another work around is to creat a file that has the search code it it and>>use the include tad. That way all they will see is the tag.>>>>>>>>At 11:13 AM 7/2/98, you wrote:>>>IIS reveals all special CGI Code>>>>>>Think no one can read your contextual searches, think again.>>>>>>Hit your webpage on an IIS server>>>>>>like http://www.yourdomain.com/special.tpl>>>>>>now try it like this>>>>>>http://www.yourdomain.com/special.tpl::$DATA>>>>>>All source code is revealed, even the special webdna data,>>>>>>this applies to all special CGI's running on IIS like ASP and Pearl. Tryit.>>>Hit your favorite microsoft server and add the url ::$DATA and you willsee>>>the special source code.>>>>>>Look here, this page is running Microsofts ASP and you can read it all.>>>>>>heheheh Pretty cool>>>>>>http://backoffice.microsoft.com/downtrial/default.asp::$DATA>>>>>>bummer is it also works on .tpl and the rest as well, I don't know aboutthe>>>encrypted pages available with 3.0 but I would be interested in hearingfrom>>>others.>>>>>>Robert Minor>>>Cybermill Communications>>>>>>>Webmaster>Mind Information Systems>>>http://www.mindinfo.com>
Associated Messages, from the most recent to the oldest:
And who could possible do that to all of their sites and all thetpl/asp/etc. My god what an awful patch to an ugly problem. Not to mentionthe customers who lease space on our servers.-----Original Message-----From: Raymond Hatch To: WebDNA-Talk@smithmicro.com Date: Thursday, July 02, 1998 4:47 PMSubject: Re: Major Security Hole IIS NT>great idea but unfortunately the include tag will point to the file>location that they can go to and look at it there.>>Ray>>At 04:04 PM 7/2/98, you wrote:>>Another work around is to creat a file that has the search code it it and>>use the include tad. That way all they will see is the tag.>>>>>>>>At 11:13 AM 7/2/98, you wrote:>>>IIS reveals all special CGI Code>>>>>>Think no one can read your contextual searches, think again.>>>>>>Hit your webpage on an IIS server>>>>>>like http://www.yourdomain.com/special.tpl>>>>>>now try it like this>>>>>>http://www.yourdomain.com/special.tpl::$DATA>>>>>>All source code is revealed, even the special webdna data,>>>>>>this applies to all special CGI's running on IIS like ASP and Pearl. Tryit.>>>Hit your favorite microsoft server and add the url ::$DATA and you willsee>>>the special source code.>>>>>>Look here, this page is running Microsofts ASP and you can read it all.>>>>>>heheheh Pretty cool>>>>>>http://backoffice.microsoft.com/downtrial/default.asp::$DATA>>>>>>bummer is it also works on .tpl and the rest as well, I don't know aboutthe>>>encrypted pages available with 3.0 but I would be interested in hearingfrom>>>others.>>>>>>Robert Minor>>>Cybermill Communications>>>>>>>Webmaster>Mind Information Systems>>>http://www.mindinfo.com>
Bob Minor
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Displaying photo attached to first record (1997)
wee problem (2001)
Bug Report, maybe (1997)
Suggestions for Topics to be covered in an Advanced WebDNACourse... (1998)
Code database (1998)
[Sum] function? (1997)
WebCatalog for Postcards ? (1997)
Comments in db? (1997)
shared_POP and archiving your own mailing list (2003)
sendmail and accented characters (1998)
WebCatalog2 Feature Feedback (1996)
WebCat2.0 acgi vs plugin (1997)
problems with 2 tags (1997)
Interface to Quickbooks (2005)
default value from Lookup (was Grant, please help me) (1997)
The IBC root beer has arrived! (1997)
replacing items in a db (2000)
WSDL Wizard (2003)
Outsourcing partnership ... (2005)
Erotic Sites (1997)