Active server pages (ASP) with runtime errors expose a security hole that publishes the full source code name to the caller. If these scripts are published on the internet before they are debugged by the programmer, the major search engines index them. These indexed ASP pages can be then located with a simple search. The search results publish the full path and file name for the ASP scripts. This URL can be viewed in a browser and may reveal full source code with details of business logic, database location and structure.
8df08f77a97c4061a43c01be319e5ef4511a09240fd42e5c021cd65c36a798af
Forwarded with permission of the author. Please direct all replies to
jwalsh@jwsg.com.
Ben Greenbaum
Director of Site Content
Security Focus
http://www.securityfocus.com
---------- Forwarded message ----------
Description:
============
Active server pages (ASP) with runtime errors
expose a security hole that publishes
the full source code name to the caller.
If these scripts are published on the
internet before they are debugged by
the programmer, the major search
engines index them. These indexed
ASP pages can be then located with a
simple search. The search results publish
the full path and file name for the ASP
scripts. This URL can be viewed in a browser
and may reveal full source code with
details of business logic, database location
and structure.
Procedure:
==========
- In the Altavisa search engine execute a search for
+"Microsoft VBScript runtime error" +".inc, "
- Look for search results that include the full
path and filename for an include (.inc) file.
- Append the include filename to the host name
and call this up in a web browser.
Example: www.rodney.com/stationery/browser.inc
Examples:
=========
http://shopping.altavista.com/inc/lib/prep.lib
Exposes database connections and properties, resource locations,
cookie logic, server IP addresses, business logic
http://www.justshop.com/SFLib/ship.inc
Exposes database properties, business logic
http://www.bbclub.com:8013/includes/general.inc
Exposes cobranding business logic
http://www.salest.com/corporate/admin/include/jobs.inc
Exposes datafile locations and structure
http://www.bjsbabes.com/SFLib/design.inc
Exposes source code for StoreFront 2000 including
database structure
http://www.ffg.com/scripts/IsSearchEngine.inc
Exposes search engine log
http://www.wcastl.com/include/functions.inc
Exposes members email addresses and
private comments file http://www.wcastl.com/flat/comments.txt
http://www.traveler.net/two/cookies.inc
Exposes cookie logic
Resolution:
===========
- Search engines should not index pages that
have ASP runtime errors.
- Programmers should fully debug their ASP
scripts before publishing them on the web
- Security administrators need to secure
the ASP include files so that external users
can not view them.
===========================
Jerry Walsh
JW's Software Gems
Email jwalsh@jwsg.com
Phone (949) 855-0233
Website http://www.jwsg.com
===========================