Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Hosting security

Reply
Thread Tools

Hosting security

 
 
Alain
Guest
Posts: n/a
 
      10-08-2003
Hello.

This is probably a well knows issue but I still cannot find a
solution.

I have noticed that it is possible to read web.config files inside
other directories on the same server simply opening them using a aspx
script.
This could allow my users to steal each other username and passwords.

What is the correct way to handle this problem?

Thanks
 
Reply With Quote
 
 
 
 
Chris Jackson
Guest
Posts: n/a
 
      10-08-2003
First of all, it's best to encrypt your passwords in some way. Even better
is to store them in a database somewhere. The asp.net runtime will not post
a .config file back to the user, but it is vulnerable to being read by an
aspx script, which is intentional. If your server scripts couldn't read the
configuration, then the configuration wouldn't be very valuable. So, the
obvious solution is to not give your users access to drop their own scripts
onto your server - why would you have something like this enabled in the
first place?

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--
"Alain" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Hello.
>
> This is probably a well knows issue but I still cannot find a
> solution.
>
> I have noticed that it is possible to read web.config files inside
> other directories on the same server simply opening them using a aspx
> script.
> This could allow my users to steal each other username and passwords.
>
> What is the correct way to handle this problem?
>
> Thanks



 
Reply With Quote
 
 
 
 
Alain
Guest
Posts: n/a
 
      10-09-2003
> First of all, it's best to encrypt your passwords in some way. Even better
> is to store them in a database somewhere. The asp.net runtime will not post
> a .config file back to the user, but it is vulnerable to being read by an
> aspx script, which is intentional.


I know its intentional. That is exactly the problem.

> why would you have something like this enabled in the
> first place?


I work for a little service provider. Some of the user require the
possibility to run dynamic applications.
In the past the company relied on COM+ objects which loaded
configurations from external udl files. The udl files were not
readable in any way by the users.
 
Reply With Quote
 
Lauchlan M
Guest
Posts: n/a
 
      10-09-2003
> This is probably a well knows issue but I still cannot find a
> solution.
>
> I have noticed that it is possible to read web.config files inside
> other directories on the same server simply opening them using a aspx
> script.
> This could allow my users to steal each other username and passwords.


In addition to the suggestion of encrypting username and passwords in the
web.config file, don't put them in the web.config file, but store them in a
database, and have the database password protected.

Lauchlan M


 
Reply With Quote
 
Chris Jackson
Guest
Posts: n/a
 
      10-09-2003
If your users have the ability to drop executable code in the same
application directory, there isn't much you can do. Anything that your
application can use to decrypt, their application can use to decrypt. Your
only hope is security through obscurity, which is not security at all. You
could try using the aspnet_setreg tool to encrypt, and you can try using a
database connection (which, if your application can use it, theirs can too)
so it's not quite as obvious, but what you are describing is a truly
unsecurable scenario that needs to be rearchitected. You may want to
consider using Windows authentication, if that is an option.

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--
"Alain" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> > First of all, it's best to encrypt your passwords in some way. Even

better
> > is to store them in a database somewhere. The asp.net runtime will not

post
> > a .config file back to the user, but it is vulnerable to being read by

an
> > aspx script, which is intentional.

>
> I know its intentional. That is exactly the problem.
>
> > why would you have something like this enabled in the
> > first place?

>
> I work for a little service provider. Some of the user require the
> possibility to run dynamic applications.
> In the past the company relied on COM+ objects which loaded
> configurations from external udl files. The udl files were not
> readable in any way by the users.



 
Reply With Quote
 
Dinis Cruz
Guest
Posts: n/a
 
      10-10-2003
Dear Alain

The problems that you are describing are very real and Asp.Net by
default is vulnerable to them

The solution is to implement website isolation as described in this
article: "http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/plan/appisoa.asp"

I would also call to your attention the new Open source Security tool
that we (in ddplus)have published which allow you to test your server
agaist these (and other) security problems.

See this post for more details on ANSA (Asp.Net Security Analyser)
"http://groups.google.com/groups?q=asp.net+security+group:microsoft.public.d otnet.framework.aspnet.security&hl=en&lr=&ie=UTF-8&oe=UTF-8&group=microsoft.public.dotnet.framework.aspnet.s ecurity&selm=701fd6b6.0310072039.5820b34c%40postin g.google.com&rnum=2"
or go directly to it's GotDotNet workspace:
"http://www.gotdotnet.com/Community/Workspaces/workspace.aspx?id=36ae9a2c-8740-4b52-924e-320edf64fba5"

Hope this helps

Best regards

Dinis Cruz
..Net Security Consultant
DDPlus (www.ddplus.net)

http://www.velocityreviews.com/forums/(E-Mail Removed) (Alain) wrote in message news:<(E-Mail Removed). com>...
> Hello.
>
> This is probably a well knows issue but I still cannot find a
> solution.
>
> I have noticed that it is possible to read web.config files inside
> other directories on the same server simply opening them using a aspx
> script.
> This could allow my users to steal each other username and passwords.
>
> What is the correct way to handle this problem?
>
> Thanks

 
Reply With Quote
 
Alain
Guest
Posts: n/a
 
      10-10-2003
Thanks Dinis!
Thas it exactly what I was looking for.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Web Hosting, Reseller Hosting, and Dedicated Hosting!!!!!! teo1991 Ruby 0 04-02-2009 01:50 PM
Web Hosting, Reseller Hosting, and Dedicated Hosting!!!!!! ufi02 ASP .Net 0 03-27-2009 07:49 PM
Web Hosting - reseller hosting Aravapalli HTML 8 12-21-2007 02:24 PM
ANN: Free Trac/Subversion hosting at Python-Hosting.com Remi Delon Python 0 01-19-2005 06:15 PM
US web hosting or UK web hosting comapnies? Bhoona Computer Support 3 03-04-2004 12:59 AM



Advertisments