Hosting Provided By

Re: Prevent security bypass

From: Scott Mulcahy <scottcm(at)usa.net>
Date: Wed Feb 12 2003 - 10:22:00 EST

Another simple solution that has less impact to current applications is to associate the .INC extension with asp.dll. You can do this by going to Properties of the web site, selecting the Home Directory tab, under Application Settings click the Configuration button. The first tab is App Mappings. You'll need to Add a new mapping. I'd suggest using All Verbs.

This has the same impact as using .ASP for include files but allows developers to use the more intuitive .INC extension. It also prevents having to go back through all your code to replace .INC with .ASP.

Good luck,
Scott

-----Original Message-----
From: Ernie Nelson [mailto:Juridian@juridian.com] Sent: Friday, February 07, 2003 7:48 PM
To: webappsec@securityfocus.com
Subject: Re: Prevent security bypass

A simpler method that requires less work is to simply name your include with the .asp extension. If you feel the need to mark it as an include prefixing the filename with inc_ (such as inc_secure.asp). That way even if the directories aren't configured right, the code is stripped out and harmless.

> I know I'm going to catch sh!t here cause I used .inc, but you can easily
Received on Wed Feb 12 11:10:50 2003

This message: [ Message body ]
Next message: Jim McGarvey: "Re: SQL Injection Basics"
Previous message: dreamwvr(at)dreamwvr.com: "Re: SQL Injection Basics"
Maybe in reply to: Chris Neil: "Prevent security bypass"
In reply to sunzi: "Re: Prevent security bypass"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:48 EDT