Fun_People Archive
26 Feb
Watch and learn.

Content-Type: text/plain
Mime-Version: 1.0 (NeXT Mail 3.3 v118.2)
From: Peter Langston <psl>
Date: Wed, 26 Feb 97 14:20:11 -0800
To: Fun_People
Subject: Watch and learn.

Forwarded-by: Keith Bostic <bostic@bostic.com>
Forwarded-by: jim@hosaka.SmallWorks.COM (Jim Thompson)
Forwarded-by: Brian Kelly <bkelly@sulaco.com>
From: "The Afternoon Line" by Jonathan Gregg, 21-Feb-97
(in with The Netly News at http://www.pathfinder.com/):

So while you're wondering how to stave off attacks by Balkan teenagers, you
might want to take a look at your server -- if it's a Microsoft Internet
Information Server 3.0, it may be telling more about you than just your
preference in software. Microsoft confirmed yesterday that a glitch in a
feature called Active Server Pages -- which combines scripts with HTML code
-- could be used by hackers to divulge private information about the
computer's owner. (Also susceptible are IIS 3.0's HTML Extension and
Internet Database Connector scripting features.) What's particularly
unfortunate is the ease with which the flaw can be exploited: Simply adding
a period at the end of a URL in the file window causes the contents of the
file to be displayed on the browser. That could include your database
passwords (a bummer for you) but it also includes the source code for the
Active Server Pages scripts, which makes it one of the easiest forms of
pirating yet devised -- and by the manufacturer, no less.  Teeth-gnashing
and frantic bug-squashing efforts are the order of the day at Microsoft,
which only two days ago put up a web site to address security problems with
its ActiveX control.

© 1997 Peter Langston