Last post Sep 22, 2010 10:04 AM by owjeff
Sep 21, 2010 06:37 AM|StefanW|LINK
I have a webapp built in classic ASP but runs on a IIS7 with .NET support. Is there any security issues caused by this vulnerability? A classic ASP does not use either viewState or the web.config file, so it shouldn't be any problem, right?
Sep 21, 2010 07:08 AM|mnongkhlaw|LINK
I guess not. Cheers to classic ASP
Sep 21, 2010 04:42 PM|jonkIIS|LINK
Yes it doesn't have a web.config but isn't a classic site still running/being processed by asp.net behind the scenes? I'm assuming it is since i hit http://myserver.com/pagethatdoesntexist.aspx it shows the asp.net version (IIS6).
Maybe I should postpone the budget to rewrite the ol classic site with asp.net 4
Sep 21, 2010 06:07 PM|Duncan Smart|LINK
No, classic ASP is not processed by ASP.NET behind the scenes. What you are seeing is requests with the *.asp extension being handled by classic ASP and requests to *.aspx being handled separately by ASP.NET as they are both enabled on your site.
If you want, remove the ASP.NET handler mappings from the site using aspnet_regiis.exe, or disable ASP.NET completely using the Web Extensions node in IIS Manager.
Sep 21, 2010 06:53 PM|jonkIIS|LINK
Makes sense (I should have known that), thanks for the info!
Sep 22, 2010 01:52 AM|yaur|LINK
navigate to http://yoursite/WebResource.axd?d=something
if you are getting anything other than a 404 you are probably vulnerable. The vulnerability allows downloading of arbitrary files inside of the apps virtual root not just the web.config file.
If you are not using them you can (and probably should) disable both WebResource.axd and ScriptResource.axd in the IIS manager.
Sep 22, 2010 10:04 AM|owjeff|LINK
Classic ASP isn't affected directly, but if your site supports ASP.NET, you should implement the workaround to be safe.