Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Security issues with Asp.Net in Shared Hosting Environments

Thread Tools

Security issues with Asp.Net in Shared Hosting Environments

Dinis Cruz
Posts: n/a
Dear Asp.Net Security Community

Over the last couple of months I have posted several items in the
official Asp.Net website ( related to the security
problems that occur when Asp.Net is used in shared hosting
environments (such as ISPs, Asp.Net developers and companies that
manage/host several websites in their servers).

The objective of this email is to consolidate all this information in
one single point:

1) for us, it all started with our "Security guide for ISPs
providing Windows-based Shared Hosting Services"

2) then we created and released an Open Source web application to
test the security configuration of servers hosting Asp.Net websites -
the Asp.Net Security Analyser (ANSA) - which is published in GotDotNet

3) Following the release of this tool, we started a public
discussion on what we considered to be serious problems that needed to
be addressed:
a) "Asp.Net.Vulnerability: Full Trust (current security problems
and possible solutions)"
b) "Asp.Net.Vulnerability: Win32 API calls (potential security
problems)" (
c) "Asp.Net.Vulnerability: Asp.Net buffer overflows (potential
security problems)" (

4) When (as a reply to one of the "Asp.Net vulnerabilities" posts)
we where advised to talk first to Microsoft before publishing this
information publicly, we decided to write the story (so far) of our
email exchange with several Microsoft employees and Microsoft Security
Response Center: "When will Microsoft take Asp.Net Security seriously?
" (

5) Meanwhile we where continuing to work on a solution for the 'Full
Trust' problem and posted:

a) some ideas on how to tackle the problem: "Idea to solve the
current shared hosting ‘Full trust' issue."

b) a 'proof of concept' example on one of the proposed solutions:
"FSO in ‘Medium trust' environments"

6) Finally we wrote two articles (soon to be published) that explain
these problems with more detail, and say what we think Microsoft
should be doing to solve this problems and make Asp.Net a secure
platform for the development of secure web applications

a) "Microsoft must deliver 'secure environments' not tools to
write 'secure code' - draft article"

b) "'An 'Asp.Net' accident waiting to happen" - draft article"

Our next steps will be the release of a new version of ANSA and
continue working on the proposed solution for the 'Full Trust' problem
(when we have more solid data we will release a white paper called
"living in a Asp.Net 'Partially Trusted' world'" which will provide
more details about how this can be successfully achieved with the
requirements of today's Asp.Net developers).

Best regards

Dinis Cruz
..NET Security Consultant
DDPlus (
Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
subprocess & shared environments Robert Dailey Python 4 05-05-2009 05:47 AM
Web Hosting, Reseller Hosting, and Dedicated Hosting!!!!!! teo1991 Ruby 0 04-02-2009 01:50 PM
Web Hosting, Reseller Hosting, and Dedicated Hosting!!!!!! ufi02 ASP .Net 0 03-27-2009 07:49 PM
How to handle memory allocation i shared hosting environments? (GC.Collect) ASP .Net 3 06-13-2006 05:36 PM
Shared cygwin & environments? Jay Levitt Ruby 3 05-09-2006 12:10 PM