DWT Security Hole?

K

Ken

I noticed that if you look at the source code of a web page that uses a
frontpage .dwt file, you can see that the page used a .dwt file by the
following:

<!-- #BeginTemplate "_template.dwt" -->

Now if you then enter the "_template.dwt" page in the browser with the
approp. url, you can actually see the source code of "_templage.dwt".

If you have any asp code in the .dwt file, include files etc etc, this
information can all be seen right in the browser as the file is treated as a
text file.

How can you go about securing your dwt files to prevent this?

This seems like a huge security hole to me.

Thanks
 
R

Ronx

Place your DWT in the _private folder. If permissions on the web site are
set correctly, this will be "off limits" to all, except authorised authors.
 
S

Stefan B Rusynko

Or better still in a subweb w/ unique permissions
- the _private folder permission are not as "strong" as a subweb
(that would also prevent users of the DWT from modifying it)




| Place your DWT in the _private folder. If permissions on the web site are
| set correctly, this will be "off limits" to all, except authorised authors.
|
| --
| Ron Symonds (Microsoft MVP - FrontPage)
| Reply only to group - emails will be deleted unread.
|
|
| | >I noticed that if you look at the source code of a web page that uses a
| >frontpage .dwt file, you can see that the page used a .dwt file by the
| >following:
| >
| > <!-- #BeginTemplate "_template.dwt" -->
| >
| > Now if you then enter the "_template.dwt" page in the browser with the
| > approp. url, you can actually see the source code of "_templage.dwt".
| >
| > If you have any asp code in the .dwt file, include files etc etc, this
| > information can all be seen right in the browser as the file is treated as
| > a text file.
| >
| > How can you go about securing your dwt files to prevent this?
| >
| > This seems like a huge security hole to me.
| >
| > Thanks
| >
|
|
 
Top