Can you post a link to the thread?

A correctly configured IIS box should never serve a raw ASP file under ANY conditions, but that doesn't mean there isn't an unpatched IIS hole that would allow it to happen...

They could of course be talking about a generic server hack that gives access to the file system, therefore allowing access to raw .asp source files.

[edited by: dmorison at 8:00 pm (utc) on Aug. 11, 2003]

Or that file that used to come by default and allow to view page source.

Yes, sounds like another anti-microsoft rumour to me.

There have been one or two bugs in IIS that would have allowed such a thing, but the patches were released long ago.

That's what I thought - thanks.

I've heard it rumored that through some buffer overflow hacks you can get IIS to serve up untranslated asp code, FWIW.

Also, watch out for include files. If the extension is not one the defined to the asp preprocessor, IIS will spit it straight out to the internet. (.inc is a prime example)

Ross

Just to put my two cents in... I had a client that had one website, that I developed with ASP. Well, for some reason, he had 2 nameservers pointing to that server running the website, and when he was working with overture, they kept seeing my asp code directly from the browser.

The site is virtually hosted, and before he deleted the second nameserver, my code was exposed to whoever hit the site from that nameserver. I know it's weird, but overture proved it to my by sending me a screenshot of my code in a browser.

Talk about being scared! It took the hosting company and I 2 hours to finally what was going on. If anyone has any theories on this, please pipe in.

Mac

Talk about being scared! It took the hosting company and I 2 hours to finally what was going on. If anyone has any theories on this, please pipe in.

Sounds like an incorrectly set MIME type. Check that first.

I'v had this happen just once in 4 yrs, it showed the asp/html just like it was in notepad.

Never found out why, others sites on the same server were ok. I took the site down,A few hours later it was fixed. I guess the ISP changed something.

Any uncompiled code is potentailly easy to steal if you have server access.

I have friends who are software engineers who think we are crazy to put whole uncompiled apps (ASP Scripts) on other peoples servers, but what can you do?

Most ISP dont allow your components and why bother anyway? Most ASP stuff is in the public domain. Its not rocket science :)

aspdaddy your isp didnt accidently set you up on a nix server like mine did? ;) That was fixed quick too :)

For the site that was showing the asp code instead of execution.
Most DNS server register DNS entries and cache it for some time. It happened that you site was moved into a non asp server with a different IP. This IP was registered at the DNS cache of overture.
Then the hosting company noticed this error and correct it without flushing the DNS cache that the first name server was using or the name server did not update the IP on time. In addition, a copy of the web site was still on the non asp server.

This is why one server keeped the old IP to the non asp server that has a copy of your website (either backup or fault tolerance). While the other nameserver point to the correct server that can run asp code well.

This had happened to me once where the hosting company moved all my sites to another server and another backup server. Under load time, there was copies of an asp web site on 3 servers. One of them did not interpret asp or jps. Every once in a while I get the code sent to the users instead of being rendered. It took them a lot of time to know the reason behind that weird behavior.

Just go with high level hosting centers.

Luck!