Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Which files are visible in a website?

Reply
Thread Tools

Which files are visible in a website?

 
 
LarryM
Guest
Posts: n/a
 
      08-04-2003
Hi,

This is maybe not a pure ASP question, but has some relation:
Please help me throw some light on this:

Which directories and files are visible and readable for a (hacking) user at a
Website:
a) directories in the default website (obviously: YES)
b) .asp-files in the default Website
c) .asp-files in any diretory outside the default Website
d) virtual directories, with files, referred to in the Website
e) any virtual directory, with files, set up in IIS
f) any other directory and file on the server computer that you know the local
physical path to
g) any other directory and file on the server computer that you know a valid
URL to

any comment is appreciated, thanks
Larry


 
Reply With Quote
 
 
 
 
LarryM
Guest
Posts: n/a
 
      08-04-2003
On Mon, 4 Aug 2003 17:56:21 -0500, "Curt_C [MVP]" <Software_AT_Darkfalz.com>
wrote:

>A) yes, but listing the contents is a switch you can turn on/off.
>B) yes by default BUT you can turn this off.
>C) no, unless you've specified it as another site.
>D) yes, depending on the file type though it may not be.
>E) see D
>F) not usually if the system is patched/up to date.
>G) yes usually, see D though.


Thanks Curt C!!
I guess the subject is to large to handle in a thread...
You don't happen to know a good book where I can dig deeper into all the
details??

BTW, how do you turn the .asp-files to be not visible?

/Larry
 
Reply With Quote
 
 
 
 
Don Verhagen
Guest
Posts: n/a
 
      08-04-2003

"LarryM" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Mon, 4 Aug 2003 17:56:21 -0500, "Curt_C [MVP]"

<Software_AT_Darkfalz.com>
> wrote:
>
> >A) yes, but listing the contents is a switch you can turn on/off.
> >B) yes by default BUT you can turn this off.
> >C) no, unless you've specified it as another site.
> >D) yes, depending on the file type though it may not be.
> >E) see D
> >F) not usually if the system is patched/up to date.
> >G) yes usually, see D though.

>
> Thanks Curt C!!
> I guess the subject is to large to handle in a thread...
> You don't happen to know a good book where I can dig deeper into all the
> details??
>
> BTW, how do you turn the .asp-files to be not visible?


..asp files is not visible just the HTML output (eg "Response.Write"). ASP
Files, by default (etc.) are processed by the server first after each
request. (Unless using FTP rather than HTTP)

Don





> /Larry



 
Reply With Quote
 
LarryM
Guest
Posts: n/a
 
      08-05-2003
On Mon, 4 Aug 2003 19:26:25 -0400, "Don Verhagen" <(E-Mail Removed)>
wrote:

>
>"LarryM" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> On Mon, 4 Aug 2003 17:56:21 -0500, "Curt_C [MVP]"

><Software_AT_Darkfalz.com>
>> wrote:
>>
>> >A) yes, but listing the contents is a switch you can turn on/off.
>> >B) yes by default BUT you can turn this off.
>> >C) no, unless you've specified it as another site.
>> >D) yes, depending on the file type though it may not be.
>> >E) see D
>> >F) not usually if the system is patched/up to date.
>> >G) yes usually, see D though.

>>
>> Thanks Curt C!!
>> I guess the subject is to large to handle in a thread...
>> You don't happen to know a good book where I can dig deeper into all the
>> details??
>>
>> BTW, how do you turn the .asp-files to be not visible?

>
>.asp files is not visible just the HTML output (eg "Response.Write"). ASP
>Files, by default (etc.) are processed by the server first after each
>request. (Unless using FTP rather than HTTP)

So, visible using FTP..
And since I have an exclusive access to my Website by a FTP login,
and Anonymous FTP Access is turned off, then
only I (and the provider) can see the .asp-files, right?

/Larry

>Don
>
>
>
>
>
>> /Larry

>


 
Reply With Quote
 
LarryM
Guest
Posts: n/a
 
      08-05-2003
On Mon, 4 Aug 2003 19:07:59 -0500, "Curt_C [MVP]" <Software_AT_Darkfalz.com>
wrote:

>simply disassociate them with the ASP.DLL in the IIS manager.

And that doesn't affect the ASP code execution?
And the .asp-files are still visible in FTP?
/Larry
 
Reply With Quote
 
Jeff Cochran
Guest
Posts: n/a
 
      08-05-2003
On Mon, 04 Aug 2003 22:26:17 GMT, LarryM <(E-Mail Removed)> wrote:

>This is maybe not a pure ASP question, but has some relation:
>Please help me throw some light on this:
>
>Which directories and files are visible and readable for a (hacking) user at a
>Website:
>a) directories in the default website (obviously: YES)


Not mine.

>b) .asp-files in the default Website


Not mine.

>c) .asp-files in any diretory outside the default Website


Not mine.

>d) virtual directories, with files, referred to in the Website


Not... Okay, you see the pattern here.

>e) any virtual directory, with files, set up in IIS
>f) any other directory and file on the server computer that you know the local
>physical path to
>g) any other directory and file on the server computer that you know a valid
>URL to


Securing files/folders is a matter of several permissions in
combination. If you allow anonymous access, then you presumably allow
at least some files to be displayed to anyone who hits your web site
URL. Beyond that, you can configure any or all pages to be served
through ASP only, and not directly from the system. You can configure
your system such that pages never exist until sent to the browser,
serving dynamically from a database that can't be directly accessed.

You also should consider that just making files available to a browser
or not isn't security against hackers. Most script hacks won't look
at your pages and determine to hack them, they just scan for known
holes to see if you've plugged them. So you're far more likely to be
a hacking victim from other issues besiades file availability.

Jeff
 
Reply With Quote
 
Jeff Cochran
Guest
Posts: n/a
 
      08-05-2003
On Tue, 05 Aug 2003 06:24:22 GMT, LarryM <(E-Mail Removed)> wrote:

>On Mon, 4 Aug 2003 19:26:25 -0400, "Don Verhagen" <(E-Mail Removed)>
>wrote:
>
>>
>>"LarryM" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed). ..
>>> On Mon, 4 Aug 2003 17:56:21 -0500, "Curt_C [MVP]"

>><Software_AT_Darkfalz.com>
>>> wrote:
>>>
>>> >A) yes, but listing the contents is a switch you can turn on/off.
>>> >B) yes by default BUT you can turn this off.
>>> >C) no, unless you've specified it as another site.
>>> >D) yes, depending on the file type though it may not be.
>>> >E) see D
>>> >F) not usually if the system is patched/up to date.
>>> >G) yes usually, see D though.
>>>
>>> Thanks Curt C!!
>>> I guess the subject is to large to handle in a thread...
>>> You don't happen to know a good book where I can dig deeper into all the
>>> details??
>>>
>>> BTW, how do you turn the .asp-files to be not visible?

>>
>>.asp files is not visible just the HTML output (eg "Response.Write"). ASP
>>Files, by default (etc.) are processed by the server first after each
>>request. (Unless using FTP rather than HTTP)

>So, visible using FTP..
>And since I have an exclusive access to my Website by a FTP login,
>and Anonymous FTP Access is turned off, then
>only I (and the provider) can see the .asp-files, right?


And the guy who guesses your password. And the guy who hacks another
account on the same box and elevates his priveleges. And the guy who
calls your ISP, says he's you and needs a copy of his files burned to
CD. And the guy who walks in the door of your ISP and simply copies
the files to disk. And the...

Security isn't as simple as you're looking for.

Jeff
 
Reply With Quote
 
LarryM
Guest
Posts: n/a
 
      08-05-2003

Thanks guys for all your comments and tips,
I feel a bit humble about the security issues,
there is obviously a lot to deal with..

/Larry

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Input button visible when not visible tshad ASP .Net 1 10-31-2009 10:53 PM
How to make a hyperlink Visible or not visible in DataList Patrick Olurotimi Ige ASP .Net 7 06-15-2005 12:01 PM
Sections visible and not visible tshad ASP .Net 4 01-31-2005 09:30 PM
button visible/not visible tshad ASP .Net 6 10-28-2004 10:02 PM
Panel.Visible = True also make child controls visible. spamfurnace ASP .Net 1 05-24-2004 03:07 AM



Advertisments