| Author |
 Topic  |
|
dayve
Forum Moderator
USA
5820 Posts |
 Posted - 13 November 2001 : 01:45:06
|
Simplicity at its best. So many times I copy my asp files to txt for sharing but now I find it easier to read the asp like an fso object to display source and it is dynamic meaning up to date realtime code...
anyway, if anyone is interested in doing the same just create a page named something like:
display_source.asp
<%
asp=Request.QueryString("page")
set fso = createobject("scripting.filesystemobject")
set act = fso.opentextfile(server.mappath(asp))
read_asp = act.readall
act.close
response.write "<pre>" & server.htmlencode(read_asp) & "</pre>"
%>
put this in your forum directory and then you are done. calling the source for any page is simple. just enter this url:
http://www.yourpage.com/forum/display_source.asp?page=forum_page.asp
and here is a live example:
Members Page
I guess it would be just as simple to add a form element so you can directly enter the page you wish to view in an input field...
____________
dayve
http://www.nineinchnailz.com/forum
Edited by - dayve on 13 November 2001 01:46:27 |
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 13 November 2001 : 01:49:00
|
I guess I should add a word of warning. if you have hard coded any kind of security passwords or other things that you don't want to share then be leary of using this. I for one do not hard code stuff like that. Also, it is possible to grab source from other directories as well. Just want to make sure everyone is aware of this.
____________
dayve
http://www.nineinchnailz.com/forum |
 |
|
|
Classicmotorcycling
Development Team Leader
Australia
2085 Posts |
|
|
Da_Stimulator
DEV Team Forum Moderator
USA
3373 Posts |
Posted - 13 November 2001 : 03:23:48
|
You could filter out those directory inputs...
if Left(request.querystring("page"), 3) = "../" then
'show error message
elseif Left(request.querystring("page"), 1) = "/" then
'show error message
else
'code here
end if
----
-Eric (da_stimulator)
Stims Snitz Test area - Running 3.3.03, 4 beta, Huw's code, and Davio's code
Need a Mod? Check out the Mod Resource |
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
Posted - 13 November 2001 : 09:50:48
|
if anyone is using this also make sure you do not allow people to be able to view the source of config.asp. I tried it on Dayve and he did make it so you cant view his config.asp file which is really good so people dont know how to get to your database.
Brad
Web Hosting with SQL Server @ $24.95 per month
Snitz Mod Archive
|
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 13 November 2001 : 10:30:42
|
yeah, I threw some caution about this but maybe I should have emphasized a little bit more. definately hide scripts that point to databases such as config.asp as redbrad0 noticed I did. thanks for the parsing bit da_stimulator
____________
dayve
http://www.nineinchnailz.com/forum |
|
|
|
SimonT
Junior Member
United Kingdom
202 Posts |
Posted - 13 November 2001 : 11:19:38
|
I love topics about security :-)
I have seen so many sites that have used just what Dayve has said it is realy good for newbe's to ASP to see how the code woks but its a real security nightmare. If you are going to use the code then you will need to do alot more secuirty checks to make sure that the code is secure. As I belive if you just add the security checks that Da_Stimulator says you might be able to get round it by using Encoded strings to get past the checks have not checked as I have no time see this code as just an example code.
|
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
|
|
redbrad0
Advanced Member
USA
3725 Posts |
Posted - 13 November 2001 : 14:39:46
|
Thinking about it, I think this would be a great file to add into the snitz files. This way when someone has a problem, people from the forum can view their asp files to see if they see a problem. but it would really have to be worked for security reasons. maybe the file just being in the tools zip file and make it so you can only read the directory that the file is in.
Brad
Web Hosting with SQL Server @ $24.95 per month
Snitz Mod Archive
|
|
|
|
SimonT
Junior Member
United Kingdom
202 Posts |
|
|
Da_Stimulator
DEV Team Forum Moderator
USA
3373 Posts |
Posted - 15 November 2001 : 03:45:35
|
but mine did... I emailed you dayve about what I did and how you can fix it :) dont wanna post it here for security reasons
----
-Eric (da_stimulator)
Stims Snitz Test area - Running 3.3.03, 4 beta, Huw's code, and Davio's code
Need a Mod? Check out the Mod Resource |
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 15 November 2001 : 16:40:07
|
quote:
but mine did... I emailed you dayve about what I did and how you can fix it :) dont wanna post it here for security reasons
----
-Eric (da_stimulator)
Stims Snitz Test area - Running 3.3.03, 4 beta, Huw's code, and Davio's code
Need a Mod? Check out the Mod Resource
I didn't get the email for some strange reason. Please send it again and/or send it to dharris@hafresno.org thanks...
____________
dayve
http://www.nineinchnailz.com/forum |
|
|
|
Kenno
Average Member
Cambodia
846 Posts |
Posted - 15 November 2001 : 18:21:07
|
quote:
but mine did... I emailed you dayve about what I did and how you can fix it :) dont wanna post it here for security reasons
----
-Eric (da_stimulator)
Stims Snitz Test area - Running 3.3.03, 4 beta, Huw's code, and Davio's code
Need a Mod? Check out the Mod Resource
Well, it's good that you can find the security hole, however if you do not tell us, how do we know we can avoid those problems if we are to use the code above??? (just curious)
÷§÷ KhmerSite.net ÷§÷ |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 15 November 2001 : 23:18:21
|
quote:
Thinking about it, I think this would be a great file to add into the snitz files. This way when someone has a problem, people from the forum can view their asp files to see if they see a problem. but it would really have to be worked for security reasons. maybe the file just being in the tools zip file and make it so you can only read the directory that the file is in.
Brad
Web Hosting with SQL Server @ $24.95 per month
Snitz Mod Archive
Great Idea Brad. I think just a function that checks permissions to see if you are allowed to view that file is needed. It would greatly reduce us who are helping users with thier forum, to see the source code of thier files.
Think I will work on this for my forum. Sourceforge has something like this on thier site. A "Show Source" link at the bottom of the pages. 
- David |
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 16 November 2001 : 00:16:32
|
quote:
quote:
but mine did... I emailed you dayve about what I did and how you can fix it :) dont wanna post it here for security reasons
----
-Eric (da_stimulator)
Stims Snitz Test area - Running 3.3.03, 4 beta, Huw's code, and Davio's code
Need a Mod? Check out the Mod Resource
Well, it's good that you can find the security hole, however if you do not tell us, how do we know we can avoid those problems if we are to use the code above??? (just curious)
÷§÷ KhmerSite.net ÷§÷
I think since I am actively using it he wants to show me how to plug the hole before exploiting this to other potential users of this code. in short, maybe don't use it until I find out what is causing my security issue here... I have not yet received an email about this 
____________
dayve
http://www.nineinchnailz.com/forum |
|
|
|
Da_Stimulator
DEV Team Forum Moderator
USA
3373 Posts |
Posted - 16 November 2001 : 00:41:03
|
My hotmail account wont open, I keep getting errors. I tried sending you an email from these forums, and I guess you didnt get it... maybe I'll Cheat and send you a 'send this topic to a friend' thing and put in the alternate email you gave me...
----
-Eric (da_stimulator)
Stims Snitz Test area - Running 3.3.03, 4 beta, Huw's code, and Davio's code
Need a Mod? Check out the Mod Resource |
|
|
|
Topic |
|
Topic Locked
