Web.config security issue

A colleague raised an interesting security ‘gotcha’ related to web.config files last week. Apparently this particular gem was raised at a recent Microsoft conference in London Village and there was a collective ‘gasp’ from the audience as a roomfull of developers realised that at some point they’d probably left at least one of their web applications open to the world’s easiest hack.

In a nutshell, never rename your web.config files to web.config.old, or web.config.bak etc. Unless you’ve explicitly prohibited access to files with this extension, IIS will quite happily serve these files up as readily as it would .html or .jpg files, potentially leaving all the database connection strings, server addresses and other goodies you put in your config files unprotected. Apparently hackers are already well onto this one, and have developed bots to scour sites looking for these renamed files. You have been warned!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s