Download ASP Script?

[Oli]

Alright people,
I'll get straight to the point.... Bascially a company I do some work for
has just gone bankrupt and is in liquidation and I want to get hold of one
of the ASP scripts off their webserver. It is only something basic that
takes the input of a dropdown box and takes you to the appropriate page (I
know this can be done with Javascript but I don't like it!).

Can someone please tell me how I can physically grab the script off their
server (I know the filename), OR tell me how I can make a similar script?

Many thanks in advance,
Oli

 

[Ken Schaefer]

If you want to get it off their server, go and ask them for it. You don't
steal things.

As for programming this yourself, it's trivial.

<select name="cboGoThere">
<option value="a">Value 1</option>
<option value="b">Value 2</option>
<option value="c">Value 3</option>
</select>

- - - - - - - - - -

Select Case Request.Form("cboGoThere")
Case "a"
strRedirect = "pageA.asp"
Case "b"
strRedirect = "someOtherPage.asp"
Case "c"
strRedirect = "whoCares.asp"
Case Else
strRedirect = "/"
End Select
Response.Redirect(strRedirect)

Cheers
Ken

: Alright people,
: I'll get straight to the point.... Bascially a company I do some work for
: has just gone bankrupt and is in liquidation and I want to get hold of one
: of the ASP scripts off their webserver. It is only something basic that
: takes the input of a dropdown box and takes you to the appropriate page (I
: know this can be done with Javascript but I don't like it!).
:
: Can someone please tell me how I can physically grab the script off their
: server (I know the filename), OR tell me how I can make a similar script?
:
: Many thanks in advance,
: Oli
:
:

 

[Harag]

If you want to get it off their server, go and ask them for it. You don't
steal things.

[snip]

Talking of getting ASP pages from a server. I'm new to the world of
ASP vbscript and thought that its basically impossible to get asp
files from asp servers, as typing in the filename runs the file.

Now with you NOT saying that its "not" possible to the guy - are you
say that it is possible in someway to get other peoples .ASP pages
from thier sites?

You've not got me worried as if its possible then what about all the
sensitive info stored in them (like DB connections with user &
passwords) etc.

If it is possible what about the global .ASA file?

please let me know is it or is it not possible to "steal" asp/asa
pages from someones website.

Thanks
Al.

 

[Ken Schaefer]

There are few old exploits that allowed you to see ASP source code. Any
server that's patched is immune.

However, suppose the IIS site allows Frontpage authoring. All you'd need to
do is guess a username/password combination

Additionally, ASP pages are just text files on the server. If you can
somehow get access to the server (I assume that this guy knows a little
about the company, especially since he knows it's gone bankrupt), then you
can get access to the files.

etc, etc

So, the simple answer is "no" - without having something extra (eg
username/password), it's not possible to get ASP source code (.asp, .asa ),
however that's not to say its completely impossible.

cheers
Ken


: On Sun, 12 Oct 2003 23:38:26 +1000, "Ken Schaefer"
:
: >If you want to get it off their server, go and ask them for it. You don't
: >steal things.
: [snip]
:
: Talking of getting ASP pages from a server. I'm new to the world of
: ASP vbscript and thought that its basically impossible to get asp
: files from asp servers, as typing in the filename runs the file.
:
: Now with you NOT saying that its "not" possible to the guy - are you
: say that it is possible in someway to get other peoples .ASP pages
: from thier sites?
:
: You've not got me worried as if its possible then what about all the
: sensitive info stored in them (like DB connections with user &
: passwords) etc.
:
: If it is possible what about the global .ASA file?
:
: please let me know is it or is it not possible to "steal" asp/asa
: pages from someones website.
:
: Thanks
: Al.
:
:

 

[Jeff Cochran]

If you want to get it off their server, go and ask them for it. You don't
steal things.

[snip]

Talking of getting ASP pages from a server. I'm new to the world of
ASP vbscript and thought that its basically impossible to get asp
files from asp servers, as typing in the filename runs the file.

Now with you NOT saying that its "not" possible to the guy - are you
say that it is possible in someway to get other peoples .ASP pages
from thier sites?

FTP, copy to floppy, have them email it, plenty of ways. No, you
can't just "View Source".

You've not got me worried as if its possible then what about all the
sensitive info stored in them (like DB connections with user &
passwords) etc.

Never ever store passwords or connection info where it would be
accessible. There are/were a number of attacks on IIS/Windows systems
that allowed viewing the files, all of which have been patched and
which have security fixes. Make sure you've applied them and locked
down the box.

please let me know is it or is it not possible to "steal" asp/asa
pages from someones website.

I can always walk in the door with a gun and make you copy it to
floppy for me, there's no "foolproof" method. Make sure you follow
good security practices.

Jeff

 

[Harag]

Hi

FTP, copy to floppy, have them email it, plenty of ways. No, you
can't just "View Source".

lol. it was the latter that I was more worried about. I'm more asking
from the point of view of a user other side of the world getting into
the asp files.

Never ever store passwords or connection info where it would be
accessible. There are/were a number of attacks on IIS/Windows systems
that allowed viewing the files, all of which have been patched and
which have security fixes. Make sure you've applied them and locked
down the box.

Hmm Where do you store the connection/password info ?

I have 1 ASP-VBSCRIPT CLASS .asp file that handles my connection to
the DB and even all the code for getting recordsets back in different
formats (Recordset or array or none)

I have my connection string set up as follows in the global.asa:

Application("DBConnection") = "Provider=SQLOLEDB; Data Source=(local);
Initial Catalog=dbname; User ID=[***USER***]; Password=[***PASS***];
Persist Security Info=True"

and in my class I replace the user & password bits with the actual
name & password... hmm thinking about it I dont need to store the
above in the Application object (this was from my old system before I
wrote the class lol)

I can always walk in the door with a gun and make you copy it to
floppy for me, there's no "foolproof" method. Make sure you follow
good security practices.

LOL, yea there is always that possibility

Al

 

[Jeff Cochran]

Hi


lol. it was the latter that I was more worried about. I'm more asking
from the point of view of a user other side of the world getting into
the asp files.


Hmm Where do you store the connection/password info ?

I store them in an include, outside the IIS website heirarchy. It's
not really *that* much safer, just that most of the hacks for
directory traversal or other means of viewing files on systems depend
on either a known folder structure (\\winnt\system32\etc...) or access
to the web folders. Placing connection string includes, as well as
databases, etc. outside the structure in a folder that isn't easily
guessable is just one more hurdle to get by.

I have 1 ASP-VBSCRIPT CLASS .asp file that handles my connection to
the DB and even all the code for getting recordsets back in different
formats (Recordset or array or none)

I have my connection string set up as follows in the global.asa:

Application("DBConnection") = "Provider=SQLOLEDB; Data Source=(local);
Initial Catalog=dbname; User ID=[***USER***]; Password=[***PASS***];
Persist Security Info=True"

I'm not fond of having connection strings in the global.asa, but part
of that stems from having to access different connections depending on
what's going on. There are arguments not to provide connection
information between sessions, instead creating and destroying
connections as needed, plus if you have pages that don't need a
connection, you're creating it for the user even if you never use it.
A lot of this depends on design considerations and has to do with
scalability issues, so each organization is affected differently.

and in my class I replace the user & password bits with the actual
name & password... hmm thinking about it I dont need to store the
above in the Application object (this was from my old system before I
wrote the class lol)

You don't, and it's probably not a smart programming move, though I
don't think it would affect security.

LOL, yea there is always that possibility

Security is a matter of tradeoffs. You often trade security for
usability, until you get a balance that works in your specific
instance. What you need for security might not be the same as the kid
in his high school lab creating a project that will be destroyed next
month, or the CIA creating a system to share intelligence with other
agencies.

Jeff