homepage Welcome to WebmasterWorld Guest from 54.227.146.68
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
Forum Library, Charter, Moderators: ocean10000

Microsoft IIS Web Server and ASP.NET Forum

    
Protecting classic ASP site against viruses
abidshahzad4u




msg:3992134
 12:39 pm on Sep 19, 2009 (gmt 0)

Hi

How can I protect Classic ASP site from viruses?

Need some suggestions...

thanks

 

Ocean10000




msg:3992169
 3:14 pm on Sep 19, 2009 (gmt 0)

I am assuming you keep the server patched with the latest patches released by Microsoft for the OS Version. Along with the other software installed on the software. And that you have a firewall in place to only allow access to the ports needed to run the webserver.

The next most common thing to protect a site is to prevent Injection attacks.

Some Links and pointers to see if your site is currently vulnerable to SQL Injection and related style attacks. And other links to help you fix the problems that you may find.

Microsoft Security Advisory (954462) [microsoft.com]

KRMwebdesign




msg:3995643
 2:00 pm on Sep 25, 2009 (gmt 0)

Hi, could this code protect against SQL injection? I found it after trying to find a way to combat same.

Put it in the head of the login.asp page.

<%
'Declare MyUsername and MyPassword variables
Dim MyUsername, MyPassword
'get the username and password fields from your form
MyUsername=Request.Form("username")
MyPassword=Request.Form("password")

'Call the function IllegalChars to check for illegal characters
If IllegalChars(MyUsername)=True OR IllegalChars(MyPassword)=True Then
Response.redirect("no_access.asp")
End If

'Function IllegalChars to guard against SQL injection
Function IllegalChars(sInput)
'Declare variables
Dim sBadChars, iCounter
'Set IllegalChars to False
IllegalChars=False
'Create an array of illegal characters and words
sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _
"#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "¦", "declare", "convert")
'Loop through array sBadChars using our counter & UBound function
For iCounter = 0 to uBound(sBadChars)
'Use Function Instr to check presence of illegal character in our variable
If Instr(sInput,sBadChars(iCounter))>0 Then
IllegalChars=True
End If
Next
End function
%>

I'd also love to know if there is any way that someone can get around this piece of code?

marcel




msg:3995684
 3:04 pm on Sep 25, 2009 (gmt 0)

I suppose it would work, but it would be very annoying if I decided to have one of those characters in my password.

The best way to protect yourself from SQL injection is to use Stored Procedures or Parametrised Queries instead of inline SQL. And also follow the instructions in the link that Ocean10000 provided.

aish1108




msg:4071644
 12:06 am on Feb 1, 2010 (gmt 0)

I'm pretty sure that InStr by default does a case sensitive comparison
[w3schools.com...]

So it would not catch, "sElect", "drOp", "inseRt", "dElete", "xP_"

If that were the case then instead use
If Instr(sInput,sBadChars(iCounter),1)>0 Then

Seb7




msg:4072669
 12:23 pm on Feb 2, 2010 (gmt 0)

I've yet to see a virus attack classic ASP itself, and yet to come across any vulnerability with classic ASP.

The only vulnerability I've seen is with things like SQL, and people deliberately leaving back doors open.

--
instr(num_start,str_to_be_search,str_searching_with,type_of_search)
type_of_search = 1 for a text, caseless search.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved