Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Browsers can download assemblies directly from my website's /bin d

Reply
Thread Tools

Browsers can download assemblies directly from my website's /bin d

 
 
HosedIfSomeoneBadFiguresOutWhoIAm
Guest
Posts: n/a
 
      07-01-2004
Microsoft: If you email my passport account directly, I can give more detailed info & a telephone number to reach me.

I've found that browsers can download dll's directly from my website's bin dir.
In the following examples I've replaced my actual company name with "Mydomain" or "Mycode" etc. to protect my website.

For example, all they need to do is type:
http://Mydomain.com/bin/Some.Web.dll
into the IE address bar.

For me, this is very bad. It means that an attacker could simply grab assemblies and use .NET Reflector to determine the code. In my case I issue product registration updates through ASP.NET, with the expectation that a user cannot simply find and download the assembly w/ the code to sign the registrations!

Now this only happens with my website hosted through my ISP (I contacted them for help). If I test the same config on a machine at home, it won't let me download the assemblies.

I looked in the web logs and found the following (again, I've replaced my actual website/assembly names to protect my website)
Note that it only let me have the assembly once (HTTP 200 OK). Subsequent requests returned HTTP 404 (Not found). It never returns the expected response HTTP 403.2 (Read access forbidden).

2004-07-01 02:01:41 216.55.191.221 /bin/MyCode.Web.dll - 80 - 67.40.221.149 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) - MyCode-tech.com 200 0 28974
2004-07-01 02:24:27 216.55.191.221 /bin/MyCode.Web.dll - 80 - 67.40.221.149 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CL R+1.1.4322) - MyCode-tech.com 404 0 1830
2004-07-01 02:24:32 216.55.191.221 /bin/MyCode.Web.dll - 80 - 67.40.221.149 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CL R+1.1.4322) - MyCode-tech.com 404 0 1830

Any ideas? This is very bad for me!!

Sincerely,
HosedIfSomeoneBadFiguresOutWhoIAm

 
Reply With Quote
 
 
 
 
[MSFT]
Guest
Posts: n/a
 
      07-01-2004
Hello,

Thank you for the information. Regarding the issue, as you have seen,
ASP.NET will deny the request the DLL files by default. In ASP.NET, all
request will be handled by HttpHanlders, if it find the request is to a
DLL, it will denied it. I think the main problem should be related to the
configurations of your ISP on their IIS server. They may do some "bad"
things on the security settings. We may wait for their response and see
what was going on there. With these information, we can determine if this
is a secury hole.

Regards,

Luke


 
Reply With Quote
 
 
 
 
[MSFT]
Guest
Posts: n/a
 
      07-02-2004
Yes, the default error should be HTTP Error 403.2 - "Forbidden: Read access
is denied.". It seems they still use some customized configurations. Maybe
you need to reminder them about this.

Luke

 
Reply With Quote
 
[MSFT]
Guest
Posts: n/a
 
      07-06-2004
Hello,

Any update from the ISP? Is the problem fixed?

Luke

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Browsers, browsers! Quo vadis? El Kabong HTML 23 05-13-2007 08:55 PM
Can't download directly from my Mac?? Tom Computer Support 10 01-06-2007 08:02 PM
Two Browsers work! Two browsers won't load. Internet game service won't load jimmie Computer Support 1 02-26-2006 08:36 AM
Preview image directly on PC, save directly to HD Patrick M. Digital Photography 3 01-07-2004 08:29 PM



Advertisments