[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] FYI Only - Interesting Dot Net configuration item



Good Morning List

been running some tests on an ASP dot Net web technology system, and ran into some things that would be good FYI from a security perspective. Since this is still new technology in some respects, there are some configuration items that should be observed, or at least noted possibly as a policy item, but security folks should be looking for these items when they are testing a dot net system.

For interests sake - go to google and run the following if you want more information on these files (or to observe folks that didn't do their security right, and to observe first hand the data that is given over. Again as with all security, risk is defined by the organization, this may or may not be risky depending on your view point.)

allinurl: "trace.axd"
allinurl: "web.config"
allinurl: "aspx.cs" for C# source
allinurl: "aspx.vb" for VBS source

Trace dot axd is a tracing function that can be controlled in the web.config file. Default is to not release this data, but the developer can modify the web.config file to show all trace data to an outside client. This data includes cookie session data, and other data that could be useful for session highjacking, and determining the physical configuration of the web server, including phyiscal and logical drive space. This runs in memory, and is purged on a FIFO basis, or when IIS is restarted.

Web.config file holds configuration data for dot net for the web server. Provides good configuration data about how the dot net environment is set up for the web server. It can also hold connection string information for connecting to database systems, other systems, and virtual directories if not using integrated security.

all source files (.CS or .VB) can provide information about how the web application is set up, what it imports, and in some cases holds connection string data for accounts database backend systems. That data is included if not using the obdc DSN system. (Although it could be there if any form of credentials are embedded anywhere in the source code for a web system).

Just thought I would pass this along as I have not seen anything like this posted on the network at all. My suggestion based on this data is that all uploaded Dot Net code bases onto a production server be configured in such a way that these data points are not exposed to the public. Default is that these are protected systems files, but a developer can change these bounds, and there should be a hand shake between security and development for production or other internet exposed systems.

Hope this was interesting.
r/
Dan




Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. Please resend when you get those, it does not mean that the mail box is bad, merely that MSN mail is over worked at the time.


Otherwise, hope things are going well.
r/
Dan


_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html