The only thing I was able to find on the subject was a posting from 1997 (http://insecure.org/sploits/microsoft.asp.iis.html), so I was hoping someone on here might have more recent knowledge on this topic:
我能在这个主题上找到的唯一一件事是1997年发布的一篇文章(http://insecure.org/sploits/microsoft.asp.iis.html),所以我希望这里有人可能对此有更多的了解。话题:
Does anyone know if there are any known vulnerabilities in IIS6 that would allow a user to view an unprocessed ASP or ASPX page, outside of gaining control of the server?
有谁知道IIS6中是否存在任何已知的漏洞,允许用户在获得服务器控制权之外查看未经处理的ASP或ASPX页面?
4 个解决方案
#1
IIS will serve raw asp or aspx only if those extensions are removed from application mappings for the site, or if you done some other dumb thing to configure it that way.
只有在从站点的应用程序映射中删除这些扩展时,或者如果你做了一些其他愚蠢的事情来配置它,IIS才会提供原始的asp或aspx。
#2
Why would you want unprocessed asp pages? You could just have a link that will escape the page and put it into a webpage for the user.
为什么要使用未经处理的asp页面?你可以只有一个链接来逃避页面并将其放入用户的网页中。
To me it would be a potential security risk, as, if you forgot and left a security vulnerability it would be seen.
对我来说,这将是一个潜在的安全风险,因为如果你忘了并留下了一个安全漏洞就会被看到。
#3
If you didn't have your script mappings set up properly, this could be an issue, but that's more of a deploy-time concern, not a run-time concern.
如果您没有正确设置脚本映射,这可能是一个问题,但这更多的是部署时间问题,而不是运行时问题。
I think any other vulnerabilities in this area would be app-related (picking a file to download server side...), not so much platform related.
我认为这个领域的任何其他漏洞都与app有关(选择一个文件来下载服务器端......),而不是平台相关。
#4
Are you concerned about people being able to see your source code? If it is, I wouldn't worry too much about it, especially with .net and using code behind files, and a properly architectured n-tiered site.
您是否担心人们能够看到您的源代码?如果是的话,我不会太担心它,尤其是.net和使用代码隐藏文件,以及一个正确架构的n层网站。
Really, the only time this is a concern is if you have an error on your page and you spit out debugging code, even with classic asp.
真的,唯一一次这是一个值得关注的问题是,如果你的页面出现错误,你就会吐出调试代码,即使使用经典的asp也是如此。
#1
IIS will serve raw asp or aspx only if those extensions are removed from application mappings for the site, or if you done some other dumb thing to configure it that way.
只有在从站点的应用程序映射中删除这些扩展时,或者如果你做了一些其他愚蠢的事情来配置它,IIS才会提供原始的asp或aspx。
#2
Why would you want unprocessed asp pages? You could just have a link that will escape the page and put it into a webpage for the user.
为什么要使用未经处理的asp页面?你可以只有一个链接来逃避页面并将其放入用户的网页中。
To me it would be a potential security risk, as, if you forgot and left a security vulnerability it would be seen.
对我来说,这将是一个潜在的安全风险,因为如果你忘了并留下了一个安全漏洞就会被看到。
#3
If you didn't have your script mappings set up properly, this could be an issue, but that's more of a deploy-time concern, not a run-time concern.
如果您没有正确设置脚本映射,这可能是一个问题,但这更多的是部署时间问题,而不是运行时问题。
I think any other vulnerabilities in this area would be app-related (picking a file to download server side...), not so much platform related.
我认为这个领域的任何其他漏洞都与app有关(选择一个文件来下载服务器端......),而不是平台相关。
#4
Are you concerned about people being able to see your source code? If it is, I wouldn't worry too much about it, especially with .net and using code behind files, and a properly architectured n-tiered site.
您是否担心人们能够看到您的源代码?如果是的话,我不会太担心它,尤其是.net和使用代码隐藏文件,以及一个正确架构的n层网站。
Really, the only time this is a concern is if you have an error on your page and you spit out debugging code, even with classic asp.
真的,唯一一次这是一个值得关注的问题是,如果你的页面出现错误,你就会吐出调试代码,即使使用经典的asp也是如此。