lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BAY3-F28Boe2U8QVjp300031dfe@hotmail.com>
From: dan_20407 at msn.com (DAN MORRILL)
Subject: FYI Only - Interesting Dot Net configuration item

Good Morning List

been running some tests on an ASP dot Net web technology system, and ran 
into some things that would be good FYI from a security perspective. Since 
this is still new technology in some respects, there are some configuration 
items that should be observed, or at least noted possibly as a policy item, 
but security folks should be looking for these items when they are testing a 
dot net system.

For interests sake - go to google and run the following if you want more 
information on these files (or to observe folks that didn't do their 
security right, and to observe first hand the data that is given over. Again 
as with all security, risk is defined by the organization, this may or may 
not be risky depending on your view point.)

allinurl: "trace.axd"
allinurl: "web.config"
allinurl: "aspx.cs" for C# source
allinurl: "aspx.vb" for VBS source

Trace dot axd is a tracing function that can be controlled in the web.config 
file. Default is to not release this data, but the developer can modify the 
web.config file to show all trace data to an outside client. This data 
includes cookie session data, and other data that could be useful for 
session highjacking, and determining the physical configuration of the web 
server, including phyiscal and logical drive space. This runs in memory, and 
is purged on a FIFO basis, or when IIS is restarted.

Web.config file holds configuration data for dot net for the web server. 
Provides good configuration data about how the dot net environment is set up 
for the web server. It can also hold connection string information for 
connecting to database systems, other systems, and virtual directories if 
not using integrated security.

all source files (.CS or .VB) can provide information about how the web 
application is set up, what it imports, and in some cases holds connection 
string data for accounts database backend systems. That data is included if 
not using the obdc DSN system. (Although it could be there if any form of 
credentials are embedded anywhere in the source code for a web system).

Just thought I would pass this along as I have not seen anything like this 
posted on the network at all. My suggestion based on this data is that all 
uploaded Dot Net code bases onto a production server be configured in such a 
way that these data points are not exposed to the public. Default is that 
these are protected systems files, but a developer can change these bounds, 
and there should be a hand shake between security and development for 
production or other internet exposed systems.

Hope this was interesting.
r/
Dan




Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.

Otherwise, hope things are going well.
r/
Dan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ