Website security

[jamesb]

We have IIS and win2K server for our company website, that is hosted by us. We have a registered area that gives access to certain pages by login.

Our login system is based on mysql and aspx/asp pages and I was wondering if there was a way to protect directories without using the windows users. We have some word docs and pdfs that can be downloaded if the paths are guessed. We are going to do an aspx transfer so the link is not as accessible, but I just think a username and password for any file in a directory (based on our custom login) would be more secure. We use a session validation curently.

I for some reason think there are people out there that can scan a website and see what files are physically on the box. We have dir browsing off, but when a coworker had some directory management software try it on our site, there were files that showed up that I didn't think they could see, or wanted them to see.

So am I paranoid, or is there a risk? The pdf downloading is my main concern. Thanks for any help.

[MarcusJT]

This has been discussed in depth before:
http://www.sitepointforums.com/showt...threadid=67307

[Andrew-J2000]

mysql and aspx/asp

odd combination, normally it's php and mySQL, what made you choose that then

[jamesb]

Yeah I know it's odd. My coworker and I use php and mysql for our personal sites, so we knew mysql better than mssql. For a while we were using both, and just decided we liked the ease of mysql/phpmyadmin better. It is difficult to find help with that combination though Our pres is a microsoft fanatic so asp/aspx is what have to write.

Our login is currently done by asp and .dbf files and com objects that our president wrote, but it locks us out of making any changes and has many problems. He wants the switch to aspx, so I wanted the switch to control the data. Our company writes accounting software with CA visual objects and dbf is the ancient database they use, so that may give you a glimpse into where I am coming from. Quite clunky and not the best for web use. We have a lot of applications that are working quite well with the mysql/asp-aspx combo, but I am no expert so I'm sure there are more efficient ways to do it.

[astericks]

Originally posted by jamesb
I for some reason think there are people out there that can scan a website and see what files are physically on the box.

It's called the unicode exploit. An unpatched IIS server can succumb to that exploit...it'll give a path like this :

http://mysite.com/....something here and there...../cmd.exe?/c+dir+c:\
http://134.59.38.81/more stuff here and there/cmd.exe?/c+dir

When these urls are opened via a browser, it shows the directory tree of the host server.

To see if your server is vulnerable, try using Shadow security scanner.

Also, go to microsft.com and check for patches. Also, look around on the website, they have an article about which rgistry keys you should modify so that your IIS server is more "safe".

Hope this helps.

asT.


edit : here is a link from my bookmarks:
http://support.microsoft.com/default...;EN-US;q184375