Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

asp.runtime-error.txt

🗓️ 11 Feb 2000 00:00:00Reported by Jerry WalshType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

ASP runtime errors expose source code, business logic, and database information through search engines.

Code
`Forwarded with permission of the author. Please direct all replies to  
[email protected].  
  
Ben Greenbaum  
Director of Site Content  
Security Focus  
http://www.securityfocus.com  
  
---------- Forwarded message ----------  
Description:  
============  
Active server pages (ASP) with runtime errors  
expose a security hole that publishes  
the full source code name to the caller.  
If these scripts are published on the  
internet before they are debugged by  
the programmer, the major search  
engines index them. These indexed  
ASP pages can be then located with a  
simple search. The search results publish  
the full path and file name for the ASP  
scripts. This URL can be viewed in a browser  
and may reveal full source code with  
details of business logic, database location  
and structure.  
  
Procedure:  
==========  
- In the Altavisa search engine execute a search for  
+"Microsoft VBScript runtime error" +".inc, "  
  
- Look for search results that include the full  
path and filename for an include (.inc) file.  
  
- Append the include filename to the host name  
and call this up in a web browser.  
Example: www.rodney.com/stationery/browser.inc  
  
Examples:  
=========  
http://shopping.altavista.com/inc/lib/prep.lib  
Exposes database connections and properties, resource locations,  
cookie logic, server IP addresses, business logic  
  
http://www.justshop.com/SFLib/ship.inc  
Exposes database properties, business logic  
  
http://www.bbclub.com:8013/includes/general.inc  
Exposes cobranding business logic  
  
http://www.salest.com/corporate/admin/include/jobs.inc  
Exposes datafile locations and structure  
  
http://www.bjsbabes.com/SFLib/design.inc  
Exposes source code for StoreFront 2000 including  
database structure  
  
http://www.ffg.com/scripts/IsSearchEngine.inc  
Exposes search engine log  
  
http://www.wcastl.com/include/functions.inc  
Exposes members email addresses and  
private comments file http://www.wcastl.com/flat/comments.txt  
  
http://www.traveler.net/two/cookies.inc  
Exposes cookie logic  
  
Resolution:  
===========  
  
- Search engines should not index pages that  
have ASP runtime errors.  
  
- Programmers should fully debug their ASP  
scripts before publishing them on the web  
  
- Security administrators need to secure  
the ASP include files so that external users  
can not view them.  
  
  
  
  
===========================  
Jerry Walsh  
JW's Software Gems  
Email [email protected]  
Phone (949) 855-0233  
Website http://www.jwsg.com  
===========================  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Feb 2000 00:00Current
7.4High risk
Vulners AI Score7.4
asp security riskruntime errorssource code exposuredatabase locationbusiness logicinternet publishingsearch engine indexing.
26