RE: Major Security Hole IIS NT
This WebDNA talk-list message is from 1998
It keeps the original formatting.
numero = 18622
interpreted = N
texte = For now you can turn off 'read' access and only allow 'execute' on thedirectories with scripts. .html pages won't be served though.Aloha, Olin> -----Original Message-----> From: Bob Minor [mailto:bob@cybermill.com]> Sent: Thursday, July 02, 1998 6:14 AM> To: WebDNA-Talk@smithmicro.com> Cc: jeff@cybermill.com> Subject: Major Security Hole IIS NT>>> IIS reveals all special CGI Code>> Think no one can read your contextual searches, think again.>> Hit your webpage on an IIS server>> like http://www.yourdomain.com/special.tpl>> now try it like this>> http://www.yourdomain.com/special.tpl::$DATA>> All source code is revealed, even the special webdna data,>> this applies to all special CGI's running on IIS like ASP and> Pearl. Try it.> Hit your favorite microsoft server and add the url ::$DATA and> you will see> the special source code.>> Look here, this page is running Microsofts ASP and you can read it all.>> heheheh Pretty cool>> http://backoffice.microsoft.com/downtrial/default.asp::$DATA>> bummer is it also works on .tpl and the rest as well, I don't> know about the> encrypted pages available with 3.0 but I would be interested in> hearing from> others.>> Robert Minor> Cybermill Communications>>>
Associated Messages, from the most recent to the oldest:
For now you can turn off 'read' access and only allow 'execute' on thedirectories with scripts. .html pages won't be served though.Aloha, Olin> -----Original Message-----> From: Bob Minor [mailto:bob@cybermill.com]> Sent: Thursday, July 02, 1998 6:14 AM> To: WebDNA-Talk@smithmicro.com> Cc: jeff@cybermill.com> Subject: Major Security Hole IIS NT>>> IIS reveals all special CGI Code>> Think no one can read your contextual searches, think again.>> Hit your webpage on an IIS server>> like http://www.yourdomain.com/special.tpl>> now try it like this>> http://www.yourdomain.com/special.tpl::$DATA>> All source code is revealed, even the special webdna data,>> this applies to all special CGI's running on IIS like ASP and> Pearl. Try it.> Hit your favorite microsoft server and add the url ::$DATA and> you will see> the special source code.>> Look here, this page is running Microsofts ASP and you can read it all.>> heheheh Pretty cool>> http://backoffice.microsoft.com/downtrial/default.asp::$DATA>> bummer is it also works on .tpl and the rest as well, I don't> know about the> encrypted pages available with 3.0 but I would be interested in> hearing from> others.>> Robert Minor> Cybermill Communications>>>
Olin
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
WebCat2b13 Mac plugin - [sendmail] and checkboxes (1997)
How to Display text in empty fields (1997)
Emailer on NT not working. (1999)
PCS Emailer's role ? (1997)
[WebDNA] [table] and COMMA in a Field (2015)
Two prices in shoppingcart? (1997)
ssl/empty cart problem (2003)
multi-paragraph fields (1997)
Anyone here care to chime in? (2005)
[format] minus figures (2003)
Interfacing WebMerchant to www.fedex.com (1997)
Webten + Webcat running smooth (1998)
Thanks Grant (1997)
Emailer setup (1997)
WebCat2.0 [format thousands .0f] no go (1997)
European dates (1998)
denying access to a banned username (2002)
Not really WebCat (1997)
refresh (2000)
Sense/Disallow HTML tags during $Append (1997)