|
Which files are visible in a website?
Hi,
This is maybe not a pure ASP question, but has some relation: Please help me throw some light on this: Which directories and files are visible and readable for a (hacking) user at a Website: a) directories in the default website (obviously: YES) b) .asp-files in the default Website c) .asp-files in any diretory outside the default Website d) virtual directories, with files, referred to in the Website e) any virtual directory, with files, set up in IIS f) any other directory and file on the server computer that you know the local physical path to g) any other directory and file on the server computer that you know a valid URL to any comment is appreciated, thanks Larry |
Re: Which files are visible in a website?
On Mon, 4 Aug 2003 17:56:21 -0500, "Curt_C [MVP]" <Software_AT_Darkfalz.com>
wrote: >A) yes, but listing the contents is a switch you can turn on/off. >B) yes by default BUT you can turn this off. >C) no, unless you've specified it as another site. >D) yes, depending on the file type though it may not be. >E) see D >F) not usually if the system is patched/up to date. >G) yes usually, see D though. Thanks Curt C!! I guess the subject is to large to handle in a thread... You don't happen to know a good book where I can dig deeper into all the details?? BTW, how do you turn the .asp-files to be not visible? /Larry |
Re: Which files are visible in a website?
"LarryM" <lm1798@telia.com> wrote in message news:kcptivcd9vo20gin9nkksmciraskk20ng7@4ax.com... > On Mon, 4 Aug 2003 17:56:21 -0500, "Curt_C [MVP]" <Software_AT_Darkfalz.com> > wrote: > > >A) yes, but listing the contents is a switch you can turn on/off. > >B) yes by default BUT you can turn this off. > >C) no, unless you've specified it as another site. > >D) yes, depending on the file type though it may not be. > >E) see D > >F) not usually if the system is patched/up to date. > >G) yes usually, see D though. > > Thanks Curt C!! > I guess the subject is to large to handle in a thread... > You don't happen to know a good book where I can dig deeper into all the > details?? > > BTW, how do you turn the .asp-files to be not visible? ..asp files is not visible just the HTML output (eg "Response.Write"). ASP Files, by default (etc.) are processed by the server first after each request. (Unless using FTP rather than HTTP) Don > /Larry |
Re: Which files are visible in a website?
On Mon, 4 Aug 2003 19:26:25 -0400, "Don Verhagen" <news@southeast-florida.com>
wrote: > >"LarryM" <lm1798@telia.com> wrote in message >news:kcptivcd9vo20gin9nkksmciraskk20ng7@4ax.com.. . >> On Mon, 4 Aug 2003 17:56:21 -0500, "Curt_C [MVP]" ><Software_AT_Darkfalz.com> >> wrote: >> >> >A) yes, but listing the contents is a switch you can turn on/off. >> >B) yes by default BUT you can turn this off. >> >C) no, unless you've specified it as another site. >> >D) yes, depending on the file type though it may not be. >> >E) see D >> >F) not usually if the system is patched/up to date. >> >G) yes usually, see D though. >> >> Thanks Curt C!! >> I guess the subject is to large to handle in a thread... >> You don't happen to know a good book where I can dig deeper into all the >> details?? >> >> BTW, how do you turn the .asp-files to be not visible? > >.asp files is not visible just the HTML output (eg "Response.Write"). ASP >Files, by default (etc.) are processed by the server first after each >request. (Unless using FTP rather than HTTP) So, visible using FTP.. And since I have an exclusive access to my Website by a FTP login, and Anonymous FTP Access is turned off, then only I (and the provider) can see the .asp-files, right? /Larry >Don > > > > > >> /Larry > |
Re: Which files are visible in a website?
On Mon, 4 Aug 2003 19:07:59 -0500, "Curt_C [MVP]" <Software_AT_Darkfalz.com>
wrote: >simply disassociate them with the ASP.DLL in the IIS manager. And that doesn't affect the ASP code execution? And the .asp-files are still visible in FTP? /Larry |
Re: Which files are visible in a website?
On Mon, 04 Aug 2003 22:26:17 GMT, LarryM <lm1798@telia.com> wrote:
>This is maybe not a pure ASP question, but has some relation: >Please help me throw some light on this: > >Which directories and files are visible and readable for a (hacking) user at a >Website: >a) directories in the default website (obviously: YES) Not mine. >b) .asp-files in the default Website Not mine. >c) .asp-files in any diretory outside the default Website Not mine. >d) virtual directories, with files, referred to in the Website Not... Okay, you see the pattern here. >e) any virtual directory, with files, set up in IIS >f) any other directory and file on the server computer that you know the local >physical path to >g) any other directory and file on the server computer that you know a valid >URL to Securing files/folders is a matter of several permissions in combination. If you allow anonymous access, then you presumably allow at least some files to be displayed to anyone who hits your web site URL. Beyond that, you can configure any or all pages to be served through ASP only, and not directly from the system. You can configure your system such that pages never exist until sent to the browser, serving dynamically from a database that can't be directly accessed. You also should consider that just making files available to a browser or not isn't security against hackers. Most script hacks won't look at your pages and determine to hack them, they just scan for known holes to see if you've plugged them. So you're far more likely to be a hacking victim from other issues besiades file availability. Jeff |
Re: Which files are visible in a website?
On Tue, 05 Aug 2003 06:24:22 GMT, LarryM <lm1798@telia.com> wrote:
>On Mon, 4 Aug 2003 19:26:25 -0400, "Don Verhagen" <news@southeast-florida.com> >wrote: > >> >>"LarryM" <lm1798@telia.com> wrote in message >>news:kcptivcd9vo20gin9nkksmciraskk20ng7@4ax.com. .. >>> On Mon, 4 Aug 2003 17:56:21 -0500, "Curt_C [MVP]" >><Software_AT_Darkfalz.com> >>> wrote: >>> >>> >A) yes, but listing the contents is a switch you can turn on/off. >>> >B) yes by default BUT you can turn this off. >>> >C) no, unless you've specified it as another site. >>> >D) yes, depending on the file type though it may not be. >>> >E) see D >>> >F) not usually if the system is patched/up to date. >>> >G) yes usually, see D though. >>> >>> Thanks Curt C!! >>> I guess the subject is to large to handle in a thread... >>> You don't happen to know a good book where I can dig deeper into all the >>> details?? >>> >>> BTW, how do you turn the .asp-files to be not visible? >> >>.asp files is not visible just the HTML output (eg "Response.Write"). ASP >>Files, by default (etc.) are processed by the server first after each >>request. (Unless using FTP rather than HTTP) >So, visible using FTP.. >And since I have an exclusive access to my Website by a FTP login, >and Anonymous FTP Access is turned off, then >only I (and the provider) can see the .asp-files, right? And the guy who guesses your password. And the guy who hacks another account on the same box and elevates his priveleges. And the guy who calls your ISP, says he's you and needs a copy of his files burned to CD. And the guy who walks in the door of your ISP and simply copies the files to disk. And the... Security isn't as simple as you're looking for. Jeff |
Re: Which files are visible in a website?
Thanks guys for all your comments and tips, I feel a bit … humble about the security issues, there is obviously a lot to deal with.. /Larry |
| All times are GMT. The time now is 01:02 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.