Date:  02/21/2008 06:30:23 PM Msg ID:  003689
From:  FoxWeb Support Thread:  003688
Subject:  Re: Bak Files Vulnerability
If you include foxweb.dll in the URL, then everything after it is simply passed to FoxWeb, which simply ignores the extension. You can use .prg, .bak, .xxx, or .whatever.  It really doesn't matter and it's certainly not a security risk. 

My recommendation is to use script-mapped URLs, such as http://MyServer/WebAppName/FoxWebPrg.fwx.  The reason that this works (even if you are not using .fwx files) is that IIS is configured to call foxweb.dll whenever it sees the .fwx extension.  Alternatively, you can refer to foxweb.dll, but don't use an extension at all (or if you do, it will simply be ignored).  You should never use an extension other than .fwx, because this may confuse FoxWeb.

Both URL forms will instruct FoxWeb to look for a files named FoxWebPrg.fwx, FoxWebPrg.prg and FoxWebPrg.fxp.  Depending on the existence and modification date of the above files, FoxWeb may re-compile the source code and eventually execute the .fxp file.  For details on this process, you may refer to http://www.foxweb.com/document/ScriptFileProcessing.htm.
FoxWeb Support Team
support@foxweb.com email
Sent by Valter herman on 02/21/2008 06:38:08 AM:
I'm using Foxweb 3.3 on a Windows 2003 Server (IIS 6.0).  Currently, if you specify a URL to a valid prg in the Foxweb directory like so:
http://MyServer/cgi-bin/foxweb.dll/WebAppName/FoxwebPrg.prg
It works just fine.  However, if you specify the same path but with a .bak ending like so:  

http://MyServer/cgi-bin/foxweb.dll/WebAppName/FoxwebPrg.bak

 you get the same results even though no such .bak file exists anywhere on that machine. 

As a matter of fact, you can do navigate here: 

http://MyServer/cgi-bin/foxweb.dll/WebAppName/FoxwebPrg.333 

And you still get results.  How can we prohibit this type of behavior?  .bak files show up as vulnerabilities in Security Scans on web applications and its preventing a successful test run .