post errors oh my!

I am creating an asp page to collect username/password from the user
and validate it against the DB.
Problem is, it's like this:
- Page initially shows user and pwd inputs with a submit button
- Page submits to itself using POST method
- Now armed with user and password, using ADO I verify information
against database and if it's correct, the main page shows.

Two problems:
1) is the password information secure when I use 'post'? can someone
somehow steal this with sniffers or something?
2) If there is a problem in the page, like connection or otherwise,
the browser shows a 'The page cannot be displayed' and down the page it
shows 'POST Data: ' which includes username and password! this can't be
good can it?

What can I do to improve security here?

Ray
Tue Jul 12 13:39:55 CDT 2005

1. HTTPS? That's what this is for. Are you using SSL?
2. Where does it show that exactly? On what errors? Are you using custom
errors?

Ray at work

<wolfing1@yahoo.com> wrote in message
news:1121193067.695889.72610@g14g2000cwa.googlegroups.com...
> I am creating an asp page to collect username/password from the user
> and validate it against the DB.
> Problem is, it's like this:
> - Page initially shows user and pwd inputs with a submit button
> - Page submits to itself using POST method
> - Now armed with user and password, using ADO I verify information
> against database and if it's correct, the main page shows.
>
> Two problems:
> 1) is the password information secure when I use 'post'? can someone
> somehow steal this with sniffers or something?
> 2) If there is a problem in the page, like connection or otherwise,
> the browser shows a 'The page cannot be displayed' and down the page it
> shows 'POST Data: ' which includes username and password! this can't be
> good can it?
>
> What can I do to improve security here?
>

wolfing1
Tue Jul 12 14:01:39 CDT 2005

1) oh, no I haven't learned HTTPS, I'll get some info on the subject.
2) like let's say I call an unexistent stored procedure in the asp
code, then if I try to go to the page it shows this:

The page cannot be displayed
There is a problem with the page you are trying to reach and it cannot
be displayed.

--------------------------------------------------------------------------------

Please try the following:

Click the Refresh button, or try again later.

Open the localhost home page, and then look for links to the
information you want.
HTTP 500.100 - Internal Server Error - ASP error
Internet Information Services

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Could not find stored procedure 'createsession'.
/applications/includes/login/session.inc, line 27


Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)

Page:
POST 37 bytes to /applications/login/login.asp

POST Data:
username=test&pwd=test123&smit=Submit

Time:
Tuesday, July 12, 2005, 2:12:28 PM


More information:
Microsoft Support




So see there is a section that actually shows the posted fields from
the form, seems to me that this is dangerous

Ray
Tue Jul 12 14:10:05 CDT 2005

Hmm, that is an issue. You could also look into custom error pages. It
actually can be as simple as making a page like so:

500.asp:

<html>
<body>
An error occurred. Sorry about that.
</body>
</html>

Put that in the root of your site, then set /500.asp to be the URL of your
error page in IIS for that site. See screen shot of the IIS configuration
here. http://www.aspfaq.com/show.asp?id=2335

Ray at work

<wolfing1@yahoo.com> wrote in message
news:1121194899.005790.298880@g14g2000cwa.googlegroups.com...
> 1) oh, no I haven't learned HTTPS, I'll get some info on the subject.
> 2) like let's say I call an unexistent stored procedure in the asp
> code, then if I try to go to the page it shows this:
>
> The page cannot be displayed
> There is a problem with the page you are trying to reach and it cannot
> be displayed.
>
> --------------------------------------------------------------------------
------
>
> Please try the following:
>
> Click the Refresh button, or try again later.
>
> Open the localhost home page, and then look for links to the
> information you want.
> HTTP 500.100 - Internal Server Error - ASP error
> Internet Information Services
>
> --------------------------------------------------------------------------
------
>
> Technical Information (for support personnel)
>
> Error Type:
> Microsoft OLE DB Provider for SQL Server (0x80040E14)
> Could not find stored procedure 'createsession'.
> /applications/includes/login/session.inc, line 27
>
>
> Browser Type:
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
> 1.1.4322)
>
> Page:
> POST 37 bytes to /applications/login/login.asp
>
> POST Data:
> username=test&pwd=test123&smit=Submit
>
> Time:
> Tuesday, July 12, 2005, 2:12:28 PM
>
>
> More information:
> Microsoft Support
>
>
>
>
> So see there is a section that actually shows the posted fields from
> the form, seems to me that this is dangerous
>

Dave
Tue Jul 12 14:12:23 CDT 2005

wolfing1@yahoo.com wrote:
> Two problems:
> 1) is the password information secure when I use 'post'?

No. The form contents are sent in the request headers, but they are not
encrypted.



> can someone somehow steal this with sniffers or something?

Absolutely.



> 2) If there is a problem in the page, like connection or otherwise,
> the browser shows a 'The page cannot be displayed' and down the page
> it shows 'POST Data: ' which includes username and password! this
> can't be good can it?

The user already knows what he typed. So this is not really any worse than
the unencrypted POST.



> What can I do to improve security here?

Use SSL. And handle your errors:
http://msdn.microsoft.com/library/en-us/script56/html/js56jsstmtrycatch.asp
http://msdn.microsoft.com/library/en-us/script56/html/vsstmonerror.asp
http://msdn.microsoft.com/library/en-us/iissdk/html/552c38f4-7531-4c3e-a620-e94986fbf889.asp


--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

wolfing1
Tue Jul 12 15:01:40 CDT 2005

Thanks for all the replies, very informational.
I've been trying to find some info on how to add HTTPS to my pages, but
haven't found a good place yet... know of a good explanatory site
(tersely explained, because I'm dumb) of how to incorporate HTTPS in
your ASP files and your server?
Thanks

wolfing1
Tue Jul 12 15:33:49 CDT 2005

yikes! I found some info on this and says I have to pay some 3rd party
place to use HTTPS? like $300/year ouch!!!!

Dave
Tue Jul 12 15:51:45 CDT 2005

wolfing1@yahoo.com wrote:
> yikes! I found some info on this and says I have to pay some 3rd
> party place to use HTTPS? like $300/year ouch!!!!

You could act as your own certificate authority and generate your own certs.
The $300 buys you acceptance, not security.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

Mark
Tue Jul 12 17:35:24 CDT 2005

Add error handling to the page so that you control the error message.

for vbscript see "on error resume next" and "err.number"

for jscript see "try" and "catch"

--
--Mark Schupp


<wolfing1@yahoo.com> wrote in message
news:1121194899.005790.298880@g14g2000cwa.googlegroups.com...
> 1) oh, no I haven't learned HTTPS, I'll get some info on the subject.
> 2) like let's say I call an unexistent stored procedure in the asp
> code, then if I try to go to the page it shows this:
>
> The page cannot be displayed
> There is a problem with the page you are trying to reach and it cannot
> be displayed.
>
> --------------------------------------------------------------------------------
>
> Please try the following:
>
> Click the Refresh button, or try again later.
>
> Open the localhost home page, and then look for links to the
> information you want.
> HTTP 500.100 - Internal Server Error - ASP error
> Internet Information Services
>
> --------------------------------------------------------------------------------
>
> Technical Information (for support personnel)
>
> Error Type:
> Microsoft OLE DB Provider for SQL Server (0x80040E14)
> Could not find stored procedure 'createsession'.
> /applications/includes/login/session.inc, line 27
>
>
> Browser Type:
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
> 1.1.4322)
>
> Page:
> POST 37 bytes to /applications/login/login.asp
>
> POST Data:
> username=test&pwd=test123&smit=Submit
>
> Time:
> Tuesday, July 12, 2005, 2:12:28 PM
>
>
> More information:
> Microsoft Support
>
>
>
>
> So see there is a section that actually shows the posted fields from
> the form, seems to me that this is dangerous
>

Duane
Wed Jul 13 04:22:49 CDT 2005

Dave Anderson wrote:
> wolfing1@yahoo.com wrote:
>
>>yikes! I found some info on this and says I have to pay some 3rd
>>party place to use HTTPS? like $300/year ouch!!!!
>
>
> You could act as your own certificate authority and generate your own certs.
> The $300 buys you acceptance, not security.
>
>
>
As Dave said, you can self certify. But if you want to buy a certificate
from a recognised authority for less than $100 then visit www.enom.com

Joe
Wed Jul 13 16:46:57 CDT 2005

> 2) If there is a problem in the page, like connection or otherwise,
> the browser shows a 'The page cannot be displayed' and down the page it
> shows 'POST Data: ' which includes username and password! this can't be
> good can it?

If you trap the error, then it won't be reported back to the browser.