Is it possible for IIS 6 to serve unprocessed ASP/ASPX pages?

Question

The only thing I was able to find on the subject was a posting from 1997 (http://insecure.org/sploits/microsoft.asp.iis.html), so I was hoping someone on here might have more recent knowledge on this topic:

Does anyone know if there are any known vulnerabilities in IIS6 that would allow a user to view an unprocessed ASP or ASPX page, outside of gaining control of the server?

Answer 1

Are you concerned about people being able to see your source code? If it is, I wouldn't worry too much about it, especially with .net and using code behind files, and a properly architectured n-tiered site.

Really, the only time this is a concern is if you have an error on your page and you spit out debugging code, even with classic asp.

Answer 2

IIS will serve raw asp or aspx only if those extensions are removed from application mappings for the site, or if you done some other dumb thing to configure it that way.

Answer 3

If you didn't have your script mappings set up properly, this could be an issue, but that's more of a deploy-time concern, not a run-time concern.

I think any other vulnerabilities in this area would be app-related (picking a file to download server side...), not so much platform related.

Answer 4

Why would you want unprocessed asp pages? You could just have a link that will escape the page and put it into a webpage for the user.

To me it would be a potential security risk, as, if you forgot and left a security vulnerability it would be seen.