Web Server Misconfiguration

Web Server Misconfiguration: Unprotected File

Summary

An information disclosure vulnerability has been detected on an IIS server. During the assessment, the global.asa.bak file was retrieved from the web server. This file is most likely a backup copy of the global.asa file, which is a text-based file that consists of server-side script that defines application- or session-level variables that users will use throughout their web session. The global.asa file may contain a database server name, user name, database password, and database name. If exploited by a remote attacker, the sensitive system information in the file would be disclosed. Recommendations include removing the vulnerable file.

Explanation

The impact of an attacker finding a backup file obviously depends on the nature of the file. In this case, the file commonly contains passwords the system will use to gain access to a database and other system critical information. Inside the global.asa file, you will commonly find ODBC Data Source Name definitions that all ASP pages on the site will use. At a minimum, an attacker who finds a backup copy of the global.asa file has had a major portion of his reconnaissance and research conducted for him.

Recommendation

Ensure that there are no old or backup copies of the global.asa file available via your website. If found, remove them immediately.

Tips

A sample global.asa file is given below.

For illustration purposes, the string that gives the username and password is bracketed by asterisks.
<SCRIPT LANGUAGE=VBScript RUNAT=Server>
‘You can add special vent handlers in this file
‘ that will get run automatically when special
‘ Active Server Pages events occur. To create these handlers,
‘ just create a subroutine with a name from the list below
‘ that corresponds to the event you want to use.
‘ For example, to create an event handler for Session_OnStart,
‘ you would put the following code into this file (without the comments):

Sub Session_OnStart
Session(“WildCard”) = “%” Session(“DSN”) = “
************************************
DSN=dbACMESQL;UID=ACMEUSER;PWD=ACMEpassword;DATABASE=ACMEDATA”
************************************
Session(“MaxRows”) = 25
Session(“ServicesList”) = “”
Session(“bLoggedIn”) = False
Session(“ContactID”) = -1
End Sub

sub Application_OnStart
‘Runs once when the first page of your application is run for the ‘first time by any user
end sub

sub GetMfrOptions
dim Conn, rs, sSql, sT set

Conn = Server.CreateObject(“ADODB.Connection”) Conn.Open Session(“DSN”)
sSql = “SELECT MfrID, Company FROM Mfr ORDER BY Company”
set rs = Conn.Execute(sSql)
sT = “”
do while not rs.eof
sT = sT & “option value=” & rs.Fields(“MfrID”) & “>” &
rs.Fields(“Company”) & “” rs.movenext loop Session(“MfrOptions”) = sT
rs.close
set rs = nothing
Conn.Close
set Conn= nothing
end sub
‘EventName Description
‘Application_OnStart Runs once when the first page of your
‘application is run for the first time by any user
‘Application_OnEnd Runs once when the web server shuts down
</SCRIPT>

References

Ensure that there are no old or backup copies of the global.asa file available via your website. If found, remove them immediately.

Blogger | Security Researcher | Digital forensic analyst | Twitter — @mrunal110

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store