RE: Global.asa security under IIS 6.0

From: dinis@ddplus.net
Date: Wed Jun 09 2004 - 12:36:24 EDT


Of course that if you are hosting your website in a
shared hosting environment and the Hoster allows Full
Trust Asp.Net (or support FPSE 2002 without proper
security configuration), then your Global.Asa or
Web.Config can be easily read by a malicious user with
access to a valid account in that server.

Dinis

On Wed, 9 Jun 2004 10:20:45 -0400, "Don Tuer" wrote

>
> Basically IIS will not return global.asa (and other
> configuration files)
> for any reason to a request. The only way to access
> this file is exploit
> known or unknown vulnerabilities in IIS. This implies
> that you must keep
> IIS patched. For .NET Microsoft has made many
> improvements in security
> including allowing you to encrypt passwords in the
> configuration files
> (ie web.config).
>
> Thanks
> Don
>
> -----Original Message-----
> From: Bénoni MARTIN
[mailto:Benoni.MARTIN@libertis.ga]
> Sent: Tuesday, June 08, 2004 4:18 AM
> To: webappsec@securityfocus.com;
> pen-test@securityfocus.com
> Subject: Global.asa security under IIS 6.0
>
> Hi list !
>
> I am wondering about how much secure is the
> "global.asa" file in ASP. It
> = seems that we can gather there most of the
parameters
> used with our
> ASP = pages, but it can be also a weakness if a
> malicious guy gets
> access to = it !
>
>
> So anyone one knows how secure is it to use
global.asa,
> how can we get =
> it from a website (IIS refuses access to it with an =
> http://blahblahblah.com/global.asa)...and how can we
> avoid people =
> stealing if ?
>
>
> Thanks in advance!

----------------------------------------
Scanned by Emailfiltering.co.uk



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT