Hi,
Thanks for getting back on this...
B@DJJ wrote:
Sorry - just saw the post:
I'm more of a Mother Hen, really - Unless you really lock down the
global.asa so it can't be read by miscreants it's possible for
someone to access the global.asa and view it's contents (not directly
via IIS (if properly hardened) usually,
Are the miscreants that you refer to those with access to the server? It was
my understanding that those simply with access to a site can not read ASP
code in any of the files, but if there is a vulnerability, I'd like to be
aware of it. It would seem that, should such vulnerability exist, there
would be no way to "really lock down" the global.asa (or any other ASP
file). An example or reference would be appreciated.
but that's not where my
concern is - I've had consultants who thought it was a "good idea" to
have a page that would display the contents of any file via the
browser simply by giving the page the filename (Bad Programmer,
Bad!).....
Hmm, well, I've long wrestled with what delineates a page and have asked
here before (with somewhat differing responses). It was again my
understanding that a redirection to "foo.asp" would not make its server side
code visible. Being somewhat a novice with ASP, it would seem that exposing
the server-side contents would require quite a bit of deliberate
programming. For example, a page that reads "foo.asp", and parses the code
into browser-compatible responses. Perhaps I am missing your point,
though...
also, depending on what type of security you want to
implement at the DB-end, if the connection info is in the global.asa
anyone doing programming would have access to the userid/pswd to your
production db and it's never the ones that behave that you have to be
concerned about - same issue could arise with the web.config file in
.net - what I usually prefer is that either a COM or an Assembly
(classic ASP or .NET) be used to access the DB, properly locked down
with very limited access to the source code.
This makes sense, as it may narrow down the list of possible miscreants. Of
course, those doing programming could probably hijack the production
database anyway, no? ;-)
Neil