It certainly doesn't hurt to put any files you can outside of the web root. Unfortunately anything that allows other users, or a poorly written script that does, to view files on the server without proper checking, well, you know. Anyway, I just thought I'd add that point, as well as the fact that it's not compiled means there's really nothing you can do, even if it might annoy or delay the person that is looking for the end result. But I'm sure you know all this, so I just added those points as well. -- Regards, Tim Greer [EMAIL PROTECTED] Server administration, security, programming, consulting.
----- Original Message ----- From: "skate" <[EMAIL PROTECTED]> To: "Tim Greer" <[EMAIL PROTECTED]>; "Eralper YILMAZ" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "'Security-Basics'" <[EMAIL PROTECTED]> Sent: Friday, July 18, 2003 10:07 AM Subject: Re: ASP Pages > which is why i also mentioned about putting it outside the webroot, although > this may not necessarily protect from other users. i generally run my > scripts on my own server, so don't really come across this... > > ----- Original Message ----- > From: "Tim Greer" <[EMAIL PROTECTED]> > To: "skate" <[EMAIL PROTECTED]>; "Eralper YILMAZ" <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]>; "'Security-Basics'" > <[EMAIL PROTECTED]> > Sent: Friday, July 18, 2003 6:00 PM > Subject: Re: ASP Pages > > > > Correct, that barring any technical/configuration reasons that would show > > the ASP code in it's text form would not be possible, there are several > > methods which are, such as a user on the same system opening and printing > > another user's ASP file's contents, or another ASP, or PHP or CGI, etc. > > script on the server that is intentionally allowing people to open and > print > > file contents (which is often not intentional, though it exists). So, > some > > things can help, but anything interpreted will still allow someone to > obtain > > the source code anyway, if they can manage to get that far. This is why > > compiling is the best way to protect source code--and I don't know of a > way > > (personally) to do this in ASP. Note: Don't confuse compiling with > > encrypting or obfuscating. > > -- > > Regards, > > Tim Greer [EMAIL PROTECTED] > > Server administration, security, programming, consulting. > > > > > > ----- Original Message ----- > > From: "skate" <[EMAIL PROTECTED]> > > To: "Eralper YILMAZ" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > > "'Security-Basics'" <[EMAIL PROTECTED]> > > Sent: Friday, July 18, 2003 9:01 AM > > Subject: Re: ASP Pages > > > > > > > no-one can read your asp code without having ftp (or similar) access to > > the > > > directory, the web server will run anything that it determines is asp, > and > > > only transmit the output. this is the core of server side scripting. > > > > > > as an extra, double security, you should put most of the core functions > > into > > > includes, and have them stored outside the web root. occasionally, the > web > > > server may have problems and transmit things before running them. i've > > seen > > > this happen in php anyway when the server is in the process of being > > > updated... > > > > > > ----- Original Message ----- > > > From: "Eralper YILMAZ" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]>; "'Security-Basics'" > > > <[EMAIL PROTECTED]> > > > Sent: Friday, July 18, 2003 10:08 AM > > > Subject: Re: ASP Pages > > > > > > > > > > Hi, > > > > > > > > Use "Script Encoder " > > > > > > > > You can find detailed info at > > > > > > > > > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/ht > > > > ml/SeconScriptEncoderOverview.asp > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Benjamin Meade" <[EMAIL PROTECTED]> > > > > To: "'Security-Basics'" <[EMAIL PROTECTED]> > > > > Sent: Monday, June 16, 2003 9:51 AM > > > > Subject: ASP Pages > > > > > > > > > > > > > > > > > > Hi all, > > > > > > > > > > We are currently developing a project management system in ASP, and > I > > am > > > > > a little concerned about code stealing. Given that the asp pages are > > > > > visible to everyone, how difficult is it for someone to download the > > > > > actual asp code? (As opposed to the html that the page generates). > > > > > > > > > > Also, there is the option for installing the site on a clients > server. > > > > > Is there any way to encrypt this so that the server can read it, but > > the > > > > > clients cannot? > > > > > > > > > > Thanks, > > > > > > > > > > Benjamin Meade > > > > > System Administrator > > > > > LanWest Pty Ltd > > > > > Ph: (08) 9440 3033 > > > > > Fax: (08) 9440 3370 > > > > > > > > > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------------- > > > > - > > > > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top > > > analysts! > > > > > The Gartner Group just put Neoteris in the top of its Magic > Quadrant, > > > > > while InStat has confirmed Neoteris as the leader in marketshare. > > > > > > > > > > Find out why, and see how you can get plug-n-play secure remote > access > > > in > > > > > about an hour, with no client, server changes, or ongoing > maintenance. > > > > > > > > > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > > > > > > > > > > > -------------------------------------------------------------------------- > > > > -- > > > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------------- > > > - > > > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top > > analysts! > > > > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > > > > while InStat has confirmed Neoteris as the leader in marketshare. > > > > > > > > Find out why, and see how you can get plug-n-play secure remote acce ss > > in > > > > about an hour, with no client, server changes, or ongoing maintenance. > > > > > > > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > > > > > > > -------------------------------------------------------------------------- > > > -- > > > > > > > > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------------- > > - > > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top > analysts! > > > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > > > while InStat has confirmed Neoteris as the leader in marketshare. > > > > > > Find out why, and see how you can get plug-n-play secure remote access > in > > > about an hour, with no client, server changes, or ongoing maintenance. > > > > > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > > > > -------------------------------------------------------------------------- > > -- > > > > > > > > > > > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
