faqts : Computers : Programming : Languages : PHP : Common Problems : Hacking

+ Search
Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

24 of 34 people (71%) answered Yes
Recently 7 of 10 people (70%) answered Yes

Entry

Is PHP affected by ASP vulnerabilities?

May 2nd, 2000 23:21
Jerry Yoakum, Hacking Exposed by McClure, Scambray, and Kurtz (ISBN 0072121270)


It depends on how you have ASP implemented and what verison of IIS.
The following web servers could be at risk: IIS 3.0/4.0 and Personal 
Web Server 4.0.
The "ASP Dot Bug" which if you have this vulnerability is the same as 
the "PHP Dot Bug."  By appending one or more dots to the end of an ASP 
(or PHP) URL, it is possible to view the ASP/PHP source code, thereby 
revealing program logic and sensitive information such as usernames and 
passwords for database authentication.
  Fix for IIS 3/4:
    http://support.microsoft.com/support/kb/articles/Q233/3/35.ASP
     In the above link Microsoft tries to blame the problem on the
     language packs; I have experienced this problem and use only
     English.
  Fix for PWS 4.0:
    http://support.microsoft.com/support/downloads/DP4044.asp
"Alternate Data Streams"
Follow-up to the Dot Bug, allows attackers to download the source to 
your web pages. By appending "::$DATA" to the end of an ASP/PHP URL the 
user could save your source.  The above FIXES include fixes for this 
bug.