Whether you believe it or not, through Asp, you may be able to easily hack into the webserver, steal files on the server, capture user passwords of web databases and other systems, or even maliciously delete files on the server until the system is damaged. It is sensational and has indeed happened. This article will reveal the loopholes in these Asp one by one and put forward some precautions.
In the previous article, I focused on how to display pages when accessing ADO databases. A friend wrote to me and pointed out that when calculating the total number of pages, I ignored PageCount, an important parameter of the Recordset object. It can be assigned a value to Pagesize. Automatically obtain the total number of pages without the need to use a cumbersome formula like INT(RS.recordcount/PgSz*-1)*-1. I want to thank this friend for enthusiastically pointing out the shortcomings in the program to me. Since this program was written by me a long time ago, the total number of records recorded during pagination display may not necessarily divide the number of records displayed on the page, and at that time I I can't be sure whether PageCount can correctly obtain the number of pages, so I was lazy to write this formula:), to be honest, I haven't tried using pagecount yet. Interested friends must try it, don't learn from mine I'm lazy.
Recently, when I discussed the problem on bbs in chinaasp, I found that many friends don’t know much about some security issues of asp, and I don’t even know how to solve the most common asp::$DATA display source code, so I think it’s very necessary to Here I will focus on this issue for all friends. With the consent of Chinaasp Feiniao, I will give you a detailed analysis of this one he wrote about the asp vulnerability plus some of my own practical experience. The security issues of asp that are crucial for webmaster.
The day after the ::$DATA vulnerability was discovered and released last year, I detected most of the sites in China that used asp at that time, and 99% of them had the above problems with the source code being visible. On that day, I even had the same problem as the source code being visible. I grabbed the source code of the search.asp file on Microsoft's site. You may think that seeing the source code is not a big deal, but if you, as a webmaster, think so, you are very wrong. For example, if an asp programmer writes the login password of the site directly into the asp, then once the source code is discovered, others can easily enter the page that should not have been seen. I once used this method to become a fee for free. Members of the website (don't expose me!), and many database connection usernames and passwords are written directly in the asp. Once discovered, it is quite dangerous if your database allows remote access and is not fortified. In some bbs programs developed with Asp, the accessmdb library is often used. If the path to the mdb library is known, the database is likely to be downloaded by others. In addition, if the password contained in the database is not encrypted, it is very dangerous If the person who obtains the password intentionally commits malicious damage, he only needs to log in as admin to delete all posts in bbs, which is enough for you to choke. The following lists some vulnerabilities that have been discovered so far. I hope everyone will be vigilant. 1. After experiments, we found that when running ASP programs on win95+pws, you only need to simply add an extra decimal point to the ASP program after the asp file name in the browser address bar. Will be downloaded. IIS3 has the same problem. If you are still using IIS3, you must test it.
2. A well-known vulnerability of iis2, iis3, and iis4 is::$DATA. By directly accessing the asp file using ie's view source or netscape, you can easily see the asp code. win98+pws4 does not have this vulnerability.
What exactly causes this terrible loophole? The root cause is that the file system unique to WindowsNT is making a monster. Anyone with some common sense knows that NT provides a file system that is completely different from FAT: NTFS, a technology called the new technology file system, which makes NT have a higher security mechanism, but it is also because It has caused many headaches. You may not know that NTFS supports multiple data streams contained in a file, and this main data stream containing all content is called DATA, so it allows the browser to directly access the NTFS system and easily capture it. Scripting programs in files become possible. However, the direct reason for ::$DATA is that IIS has a problem when parsing file names, which does not standardize file names very well.
How can we solve this problem? There are several ways:
a. Set the directory where the .asp file is stored is unreadable (ASP can still execute), so that html, css and other files cannot be placed in this directory, otherwise they will not be browsed.
b. Install the patch provided by Microsoft. The download address is as follows (note that there are different patches for different systems):
This patch is for IIS3, Intel platform
ftp.microsoft.com/bussys/iis/iis
-public/fixes/cht/security/iis3-datafix/iis3fixi.exe
This patch is for IIS3, Intel platform
ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis3-datafix/iis3fixa.exe
This patch is for IIS4, Alpha platform
ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis4-datafix/iis4fixi.exe
This patch is for IIS4, Alpha platform
ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/iis4-datafix/iis4fixa.exe
c. It is to install ie4.01sp1 on the server. Whether this is valid has not been specifically tried by the author.
d. Keep the author's personal opinions, try to install the English version of NT instead of using the Chinese version. The author can't explain the reason. It's just that based on practical experience, the English version of NT has fewer bugs than the Chinese version. If any friend knows Tell me the reason.
3. Problems facing servers that support ASP's free homepage space and virtual hosting services
1. The ASP code on the server is likely to be illegally obtained by other people with asp permissions.
To give a very simple example, in the ASP1.0 routine provided by Microsoft, there is a .asp file specifically used to view the source code of other .asp files. The file is ASPSamp/Samples/code.asp. If someone uploads this program to the server without any precautions on the server, he can easily view other people's programs.
For example:
code.asp?source=/directory/file.asp
2. The ACCESS mdb database used may be downloaded. Generally speaking, it is impossible to provide services to set DSN on the free homepage server that provides asp permissions. Therefore, the databases used by asp programs are usually limited to using mdb library, while mdb is far away. The location of the end database is specified directly in asp using the DSN-less method we mentioned in issue 14. The method is as follows:
< %connstr = DBQ=+server.mapath(database/source.mdb)+;DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};DriverId=25;FIL=MS Access;ImplicitCommitSync=Yes;MaxBufferSize= 512;MaxScanRows=8;PageTimeout=5; SafeTransactions=0;Threads=3;UserCommitSync=Yes;%>
As mentioned earlier, in this case, the mdb library is likely to be downloaded by others, resulting in leakage of passwords, etc.
Therefore, as a webmaster, we should take certain measures to strictly prohibit programs such as code.asp (it seems difficult to do, but feature codes can be retrieved regularly) and restrict the download of mdb.
3. Threats from powerful filesystemobject components
File operations of IIS3 and IIS4 ASPs can be implemented through filesystemobject, including read and write directory operations of text files, rename and deletion of files, etc., but this powerful function also leaves a very dangerous backdoor. Filesystemobjet can tamper with any file on the fat partition. Even if the permissions are not set properly, it can also be destroyed. If you are not careful, you may suffer a catastrophe. Unfortunately, many webmasters only know to make the web server run and rarely set permissions for ntfs, while the default settings for NT directory permissions are terriblely low. Therefore, if you are a Webmaster, the author strongly recommends that you pay close attention to the server settings and try to build the web directory on the ntfs partition. Do not set everyone full control in the directory. Even if you are a member of the administrator group, there is generally no need to fully control. As long as you have read and change permissions, it is enough.
4. The attacks that ASP applications may face in the past. In the past, many message books or BBS written by CGI on the Internet changed the message entered by the customer into a variable, and then inserted this variable into the message displayed.
In HTML files, if the text entered by the client is to be displayed in the HTML file, it must comply with the HTML standards, and CGI programs generally include specific HTML languages. When the client enters content and inserts an HTML file, it is inserted into the head and tail HTML statement at the same time, such as:
< font> variables entered by the client</font> But if the HTML before and after is marked on the screen, you can do a lot of things.
If typed on:
< /font> The <font> before and after the statement < font> that complies with HTML standards is used for HTML statements in my screen CGI. What is inserted into the HTML file becomes:
< font>< /font> statement that complies with HTML standards < font>< /font> Due to this feature, writing a javascript vicious loop is very easy, just enter it in the input box:
< a href=URL onMouseover=while(1){window.close('/')}> or < a herf=URL onMousever=while(ture){window.close('/')}> then you can make other things The browser of the client who viewed the message died due to the dead loop. Programs developed by ASP may also have this problem, so when you write similar programs in asp, you should be careful of such operations, such as writing a program to judge the client's input and blocking out all HTML and javascript statements.
After reading this issue, if you are very shocked, you must thoroughly check your existing website or asp program to see if there are any of the above vulnerabilities. If you have some understanding of the vulnerabilities mentioned in the article and have sufficient countermeasures, then while congratulations, you should remind you to check your website and asp programs frequently. If you have a database, you should also check it frequently. Prevent others from attacking using some vulnerabilities we don’t know. Finally, if you have any unique insights into the Asp security issues discussed in this article, or have new discoveries about vulnerabilities, I hope to write to me to discuss it