SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    Sep 2001
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Website security

    We have IIS and win2K server for our company website, that is hosted by us. We have a registered area that gives access to certain pages by login.

    Our login system is based on mysql and aspx/asp pages and I was wondering if there was a way to protect directories without using the windows users. We have some word docs and pdfs that can be downloaded if the paths are guessed. We are going to do an aspx transfer so the link is not as accessible, but I just think a username and password for any file in a directory (based on our custom login) would be more secure. We use a session validation curently.

    I for some reason think there are people out there that can scan a website and see what files are physically on the box. We have dir browsing off, but when a coworker had some directory management software try it on our site, there were files that showed up that I didn't think they could see, or wanted them to see.

    So am I paranoid, or is there a risk? The pdf downloading is my main concern. Thanks for any help.

  2. #2
    The doctor is in... silver trophy MarcusJT's Avatar
    Join Date
    Jan 2002
    Location
    London
    Posts
    3,509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This has been discussed in depth before:
    http://www.sitepointforums.com/showt...threadid=67307

    MarcusJT
    - former ASP web developer / former SPF "ASP Guru"
    - *very* old blog with some useful ASP code

    - Please think, Google, and search these forums before posting!

  3. #3
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    mysql and aspx/asp

    odd combination, normally it's php and mySQL, what made you choose that then

  4. #4
    SitePoint Enthusiast
    Join Date
    Sep 2001
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah I know it's odd. My coworker and I use php and mysql for our personal sites, so we knew mysql better than mssql. For a while we were using both, and just decided we liked the ease of mysql/phpmyadmin better. It is difficult to find help with that combination though Our pres is a microsoft fanatic so asp/aspx is what have to write.

    Our login is currently done by asp and .dbf files and com objects that our president wrote, but it locks us out of making any changes and has many problems. He wants the switch to aspx, so I wanted the switch to control the data. Our company writes accounting software with CA visual objects and dbf is the ancient database they use, so that may give you a glimpse into where I am coming from. Quite clunky and not the best for web use. We have a lot of applications that are working quite well with the mysql/asp-aspx combo, but I am no expert so I'm sure there are more efficient ways to do it.
    Last edited by jamesb; Jul 30, 2002 at 07:35.

  5. #5
    My precious!!! astericks's Avatar
    Join Date
    Mar 2002
    Location
    Vancouver, BC
    Posts
    1,971
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Website security

    Originally posted by jamesb
    I for some reason think there are people out there that can scan a website and see what files are physically on the box.
    It's called the unicode exploit. An unpatched IIS server can succumb to that exploit...it'll give a path like this :

    http://mysite.com/....something here and there...../cmd.exe?/c+dir+c:\
    http://134.59.38.81/more stuff here and there/cmd.exe?/c+dir

    When these urls are opened via a browser, it shows the directory tree of the host server.

    To see if your server is vulnerable, try using Shadow security scanner.

    Also, go to microsft.com and check for patches. Also, look around on the website, they have an article about which rgistry keys you should modify so that your IIS server is more "safe".

    Hope this helps.

    asT.


    edit : here is a link from my bookmarks:
    http://support.microsoft.com/default...;EN-US;q184375
    Last edited by astericks; Jul 30, 2002 at 23:29.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •