Which files are visible in a website?

Discussion in 'ASP General' started by LarryM, Aug 4, 2003.

  1. LarryM

    LarryM Guest

    Hi,

    This is maybe not a pure ASP question, but has some relation:
    Please help me throw some light on this:

    Which directories and files are visible and readable for a (hacking) user at a
    Website:
    a) directories in the default website (obviously: YES)
    b) .asp-files in the default Website
    c) .asp-files in any diretory outside the default Website
    d) virtual directories, with files, referred to in the Website
    e) any virtual directory, with files, set up in IIS
    f) any other directory and file on the server computer that you know the local
    physical path to
    g) any other directory and file on the server computer that you know a valid
    URL to

    any comment is appreciated, thanks
    Larry
    LarryM, Aug 4, 2003
    #1
    1. Advertising

  2. LarryM

    LarryM Guest

    On Mon, 4 Aug 2003 17:56:21 -0500, "Curt_C [MVP]" <Software_AT_Darkfalz.com>
    wrote:

    >A) yes, but listing the contents is a switch you can turn on/off.
    >B) yes by default BUT you can turn this off.
    >C) no, unless you've specified it as another site.
    >D) yes, depending on the file type though it may not be.
    >E) see D
    >F) not usually if the system is patched/up to date.
    >G) yes usually, see D though.


    Thanks Curt C!!
    I guess the subject is to large to handle in a thread...
    You don't happen to know a good book where I can dig deeper into all the
    details??

    BTW, how do you turn the .asp-files to be not visible?

    /Larry
    LarryM, Aug 5, 2003
    #2
    1. Advertising

  3. LarryM

    Don Verhagen Guest

    "LarryM" <> wrote in message
    news:...
    > On Mon, 4 Aug 2003 17:56:21 -0500, "Curt_C [MVP]"

    <Software_AT_Darkfalz.com>
    > wrote:
    >
    > >A) yes, but listing the contents is a switch you can turn on/off.
    > >B) yes by default BUT you can turn this off.
    > >C) no, unless you've specified it as another site.
    > >D) yes, depending on the file type though it may not be.
    > >E) see D
    > >F) not usually if the system is patched/up to date.
    > >G) yes usually, see D though.

    >
    > Thanks Curt C!!
    > I guess the subject is to large to handle in a thread...
    > You don't happen to know a good book where I can dig deeper into all the
    > details??
    >
    > BTW, how do you turn the .asp-files to be not visible?


    ..asp files is not visible just the HTML output (eg "Response.Write"). ASP
    Files, by default (etc.) are processed by the server first after each
    request. (Unless using FTP rather than HTTP)

    Don





    > /Larry
    Don Verhagen, Aug 5, 2003
    #3
  4. LarryM

    LarryM Guest

    On Mon, 4 Aug 2003 19:26:25 -0400, "Don Verhagen" <>
    wrote:

    >
    >"LarryM" <> wrote in message
    >news:...
    >> On Mon, 4 Aug 2003 17:56:21 -0500, "Curt_C [MVP]"

    ><Software_AT_Darkfalz.com>
    >> wrote:
    >>
    >> >A) yes, but listing the contents is a switch you can turn on/off.
    >> >B) yes by default BUT you can turn this off.
    >> >C) no, unless you've specified it as another site.
    >> >D) yes, depending on the file type though it may not be.
    >> >E) see D
    >> >F) not usually if the system is patched/up to date.
    >> >G) yes usually, see D though.

    >>
    >> Thanks Curt C!!
    >> I guess the subject is to large to handle in a thread...
    >> You don't happen to know a good book where I can dig deeper into all the
    >> details??
    >>
    >> BTW, how do you turn the .asp-files to be not visible?

    >
    >.asp files is not visible just the HTML output (eg "Response.Write"). ASP
    >Files, by default (etc.) are processed by the server first after each
    >request. (Unless using FTP rather than HTTP)

    So, visible using FTP..
    And since I have an exclusive access to my Website by a FTP login,
    and Anonymous FTP Access is turned off, then
    only I (and the provider) can see the .asp-files, right?

    /Larry

    >Don
    >
    >
    >
    >
    >
    >> /Larry

    >
    LarryM, Aug 5, 2003
    #4
  5. LarryM

    LarryM Guest

    On Mon, 4 Aug 2003 19:07:59 -0500, "Curt_C [MVP]" <Software_AT_Darkfalz.com>
    wrote:

    >simply disassociate them with the ASP.DLL in the IIS manager.

    And that doesn't affect the ASP code execution?
    And the .asp-files are still visible in FTP?
    /Larry
    LarryM, Aug 5, 2003
    #5
  6. LarryM

    Jeff Cochran Guest

    On Mon, 04 Aug 2003 22:26:17 GMT, LarryM <> wrote:

    >This is maybe not a pure ASP question, but has some relation:
    >Please help me throw some light on this:
    >
    >Which directories and files are visible and readable for a (hacking) user at a
    >Website:
    >a) directories in the default website (obviously: YES)


    Not mine.

    >b) .asp-files in the default Website


    Not mine.

    >c) .asp-files in any diretory outside the default Website


    Not mine.

    >d) virtual directories, with files, referred to in the Website


    Not... Okay, you see the pattern here.

    >e) any virtual directory, with files, set up in IIS
    >f) any other directory and file on the server computer that you know the local
    >physical path to
    >g) any other directory and file on the server computer that you know a valid
    >URL to


    Securing files/folders is a matter of several permissions in
    combination. If you allow anonymous access, then you presumably allow
    at least some files to be displayed to anyone who hits your web site
    URL. Beyond that, you can configure any or all pages to be served
    through ASP only, and not directly from the system. You can configure
    your system such that pages never exist until sent to the browser,
    serving dynamically from a database that can't be directly accessed.

    You also should consider that just making files available to a browser
    or not isn't security against hackers. Most script hacks won't look
    at your pages and determine to hack them, they just scan for known
    holes to see if you've plugged them. So you're far more likely to be
    a hacking victim from other issues besiades file availability.

    Jeff
    Jeff Cochran, Aug 5, 2003
    #6
  7. LarryM

    Jeff Cochran Guest

    On Tue, 05 Aug 2003 06:24:22 GMT, LarryM <> wrote:

    >On Mon, 4 Aug 2003 19:26:25 -0400, "Don Verhagen" <>
    >wrote:
    >
    >>
    >>"LarryM" <> wrote in message
    >>news:...
    >>> On Mon, 4 Aug 2003 17:56:21 -0500, "Curt_C [MVP]"

    >><Software_AT_Darkfalz.com>
    >>> wrote:
    >>>
    >>> >A) yes, but listing the contents is a switch you can turn on/off.
    >>> >B) yes by default BUT you can turn this off.
    >>> >C) no, unless you've specified it as another site.
    >>> >D) yes, depending on the file type though it may not be.
    >>> >E) see D
    >>> >F) not usually if the system is patched/up to date.
    >>> >G) yes usually, see D though.
    >>>
    >>> Thanks Curt C!!
    >>> I guess the subject is to large to handle in a thread...
    >>> You don't happen to know a good book where I can dig deeper into all the
    >>> details??
    >>>
    >>> BTW, how do you turn the .asp-files to be not visible?

    >>
    >>.asp files is not visible just the HTML output (eg "Response.Write"). ASP
    >>Files, by default (etc.) are processed by the server first after each
    >>request. (Unless using FTP rather than HTTP)

    >So, visible using FTP..
    >And since I have an exclusive access to my Website by a FTP login,
    >and Anonymous FTP Access is turned off, then
    >only I (and the provider) can see the .asp-files, right?


    And the guy who guesses your password. And the guy who hacks another
    account on the same box and elevates his priveleges. And the guy who
    calls your ISP, says he's you and needs a copy of his files burned to
    CD. And the guy who walks in the door of your ISP and simply copies
    the files to disk. And the...

    Security isn't as simple as you're looking for.

    Jeff
    Jeff Cochran, Aug 5, 2003
    #7
  8. LarryM

    LarryM Guest

    Thanks guys for all your comments and tips,
    I feel a bit … humble about the security issues,
    there is obviously a lot to deal with..

    /Larry
    LarryM, Aug 5, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. spamfurnace
    Replies:
    1
    Views:
    2,632
    Scott M.
    May 24, 2004
  2. tshad

    button visible/not visible

    tshad, Oct 26, 2004, in forum: ASP .Net
    Replies:
    6
    Views:
    4,444
    Brian Hoops
    Oct 28, 2004
  3. tshad

    Sections visible and not visible

    tshad, Jan 31, 2005, in forum: ASP .Net
    Replies:
    4
    Views:
    2,059
    tshad
    Jan 31, 2005
  4. Patrick Olurotimi Ige
    Replies:
    7
    Views:
    5,962
    Patrick Olurotimi Ige
    Jun 15, 2005
  5. tshad
    Replies:
    1
    Views:
    4,243
    tshad
    Oct 31, 2009
Loading...

Share This Page