COMMAND

    asp

SYSTEMS AFFECTED

    Systems with ASP

PROBLEM

    Jerry  Walsh  found  following.   Active  server  pages (ASP) with
    runtime  errors  expose  a  security  hole that publishes the full
    source code name  to the caller.   If these scripts  are published
    on the internet  before they are  debugged by the  programmer, the
    major search engines index them.   These indexed ASP pages can  be
    then located  with a  simple search.   The search  results publish
    the full path and file name for the ASP scripts.  This URL can  be
    viewed in a browser and  may reveal full source code  with details
    of business logic, database location and structure.

    Procedure is following:

        - In  the  Altavisa  search  engine  execute  a  search    for
          +"Microsoft VBScript runtime error" +".inc, "
        - Look  for  search  results  that  include the full path  and
          filename for an include (.inc) file.
        - Append the include filename  to the host name and  call this
          up in a web browser.  Example:
              www.rodney.com/stationery/browser.inc

    Examples:

    - http://shopping.altavista.com/inc/lib/prep.lib
      Exposes database connections and properties, resource locations,
      cookie logic, server IP addresses, business logic

    - http://www.justshop.com/SFLib/ship.inc
      Exposes database properties, business logic

    - http://www.bbclub.com:8013/includes/general.inc
      Exposes cobranding business logic

    - http://www.salest.com/corporate/admin/include/jobs.inc
      Exposes datafile locations and structure

    - http://www.bjsbabes.com/SFLib/design.inc
      Exposes  source  code  for  StoreFront  2000  including database
      structure

    - http://www.ffg.com/scripts/IsSearchEngine.inc
      Exposes search engine log

    - http://www.wcastl.com/include/functions.inc
      Exposes  members  email  addresses  and  private  comments  file
      http://www.wcastl.com/flat/comments.txt

    - http://www.traveler.net/two/cookies.inc
      Exposes cookie logic

SOLUTION

    - Search  engines should  not index  pages that  have ASP  runtime
      errors.

    - Programmers  should  fully  debug  their  ASP  scripts    before
      publishing them on the web

    - Security administrators need to secure the ASP include files  so
      that external users can not view them.

    ALL  included  files  MUST  have  a  ".asp" extension and that ASP
    debugging should be  disabled on all  production servers in  order
    to keep  all code  out of  evil hands.   The problem  here is 100%
    between the chair and the keyboard.

    If you  follow any  of the  ASP newsgroups,  websites, or  mailing
    lists they always recommend one  of 2 actions to prevent  problems
    with include files.

        1.  Associate .inc files with the asp interpreter
        2.  Name all of you include files with the .asp extension instead of .inc.

    There is no reason that the  files need and .inc extension.   This
    will insure that  if someone finds  the name of  your include file
    through an error  or even by  guessing they will  not see anything
    compromising.

    The following is also true for PHP.  Naming PHP include files .inc
    gives anyone full-read  access to the  files by simply  requesting
    them by name.