Welcome to WebmasterWorld Guest from 54.196.233.208

Forum Moderators: ocean10000

Message Too Old, No Replies

Protecting classic ASP site against viruses

     
12:39 pm on Sep 19, 2009 (gmt 0)

Junior Member

5+ Year Member

joined:May 11, 2009
posts:74
votes: 0


Hi

How can I protect Classic ASP site from viruses?

Need some suggestions...

thanks

3:14 pm on Sept 19, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:852
votes: 0


I am assuming you keep the server patched with the latest patches released by Microsoft for the OS Version. Along with the other software installed on the software. And that you have a firewall in place to only allow access to the ports needed to run the webserver.

The next most common thing to protect a site is to prevent Injection attacks.

Some Links and pointers to see if your site is currently vulnerable to SQL Injection and related style attacks. And other links to help you fix the problems that you may find.

Microsoft Security Advisory (954462) [microsoft.com]

2:00 pm on Sept 25, 2009 (gmt 0)

Junior Member

5+ Year Member

joined:Sept 11, 2009
posts:108
votes: 0


Hi, could this code protect against SQL injection? I found it after trying to find a way to combat same.

Put it in the head of the login.asp page.

<%
'Declare MyUsername and MyPassword variables
Dim MyUsername, MyPassword
'get the username and password fields from your form
MyUsername=Request.Form("username")
MyPassword=Request.Form("password")

'Call the function IllegalChars to check for illegal characters
If IllegalChars(MyUsername)=True OR IllegalChars(MyPassword)=True Then
Response.redirect("no_access.asp")
End If

'Function IllegalChars to guard against SQL injection
Function IllegalChars(sInput)
'Declare variables
Dim sBadChars, iCounter
'Set IllegalChars to False
IllegalChars=False
'Create an array of illegal characters and words
sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _
"#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "¦", "declare", "convert")
'Loop through array sBadChars using our counter & UBound function
For iCounter = 0 to uBound(sBadChars)
'Use Function Instr to check presence of illegal character in our variable
If Instr(sInput,sBadChars(iCounter))>0 Then
IllegalChars=True
End If
Next
End function
%>

I'd also love to know if there is any way that someone can get around this piece of code?

3:04 pm on Sept 25, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 1, 2005
posts:732
votes: 0


I suppose it would work, but it would be very annoying if I decided to have one of those characters in my password.

The best way to protect yourself from SQL injection is to use Stored Procedures or Parametrised Queries instead of inline SQL. And also follow the instructions in the link that Ocean10000 provided.

12:06 am on Feb 1, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 15, 2007
posts: 64
votes: 0


I'm pretty sure that InStr by default does a case sensitive comparison
[w3schools.com...]

So it would not catch, "sElect", "drOp", "inseRt", "dElete", "xP_"

If that were the case then instead use
If Instr(sInput,sBadChars(iCounter),1)>0 Then

12:23 pm on Feb 2, 2010 (gmt 0)

Preferred Member

5+ Year Member

joined:Nov 20, 2007
posts:585
votes: 0


I've yet to see a virus attack classic ASP itself, and yet to come across any vulnerability with classic ASP.

The only vulnerability I've seen is with things like SQL, and people deliberately leaving back doors open.

--
instr(num_start,str_to_be_search,str_searching_with,type_of_search)
type_of_search = 1 for a text, caseless search.