When will people learn?

http://www.google.com/search?q=intitle%3A%22index+of%22+intext%3Aweb.config&btnG=Search
Published Monday, April 11, 2005 6:12 PM by Travis
Filed under:

Comments

# re: When will people learn?

Monday, April 11, 2005 9:04 PM by Guest
what do you want people to learn? I didnt get what you intended to say

# re: When will people learn?

Monday, April 11, 2005 10:23 PM by M. Keith Warren
I am almost as amazed by the number of people who leave in the default comments!

# re: When will people learn?

Monday, April 11, 2005 10:37 PM by Jake
Directory browsing...

# re: When will people learn?

Monday, April 11, 2005 10:39 PM by G
..and then click on web.config, and read the contents!

# re: When will people learn?

Tuesday, April 12, 2005 3:00 AM by Doogie
interesting, people are still not disable 'directory browsing' (although it is disabled by default in IIS 6).

Thanx!

# re: When will people learn?

Tuesday, April 12, 2005 3:00 AM by Doogie
interesting, people still not disable 'directory browsing' (although it is disabled by default in IIS 6).

Thanx!

# re: When will people learn?

Tuesday, April 12, 2005 8:36 AM by James Avery
I think some of these cases this is the intended results. A couple of the results look like school projects that you would need to be able to download the entire project. I could be wrong though.

-James

# re: When will people learn?

Tuesday, April 12, 2005 9:37 AM by Bob
It is even MORE boggling that they kinda have to do this on purpose?!?!?!?

As one of my favorite firemen says,

"Sweet Chocolate Christ!"

# re: When will people learn?

Tuesday, April 12, 2005 10:20 AM by Bil Simser
What a bunch of silly people. Not only do they leave directory browsing enabled, looking at some of the web.config files they have SQL servers sitting on the net with "userid=sa;password=" in them. Nice.

# re: When will people learn?

Tuesday, April 12, 2005 10:20 AM by Bil Simser
What a bunch of silly people. Not only do they leave directory browsing enabled, looking at some of the web.config files they have SQL servers sitting on the net with "userid=sa;password=" in them. Nice.

# re: When will people learn?

Tuesday, April 12, 2005 10:58 AM by Travis
Yea, alot of them look like just school tests, or really simple projects. However, there are alot with *revealing* information. In the google URL change web.config to connect.inc and you can get all the PHP hosted passwords... :-)

# re: When will people learn?

Tuesday, April 12, 2005 11:16 AM by James Crowley
Shouldn't ASP.NET be chucking up an error saying that it doesn't serve those file extensions? (like it does for .vb and .cs files)... or does enabling directory browsing override that?

# re: When will people learn?

Tuesday, April 12, 2005 12:04 PM by Travis
It should, and by default it does. However, I think there are cases when using FP Extensions that it will reveal these files. FP Extensions asside, its possible to config your web server to serve these pages regardless.

# re: When will people learn?

Tuesday, April 12, 2005 1:23 PM by Christophe Lauer [MS]
Since some of those servers showing a nice directory listing expose as "Apache/1.3.26 Server at XXXXXXXXXXXXX Port 80", I guess that we're not seeing ASP.NET actually, but some Mono test apps on some Apache servers...
My guess.

Leave a Comment

(required) 
(required) 
(optional)
(required)