Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Help with WScript.Shell Object

Reply
Thread Tools

Help with WScript.Shell Object

 
 
joe
Guest
Posts: n/a
 
      05-07-2005
I've made an ASP page that calls a small executable and collects its
text output into a variable ("strExeOut") below. Below is some code similar
to the one I use for that purpose.

strExe = "C:\whatever\myprogram.exe -h1 -d33"

Set objShell = CreateObject("WScript.Shell")
Set objScriptExec = objShell.Exec(strExe)
strExeOut = objScriptExec.StdOut.ReadAll

I developed this in my own computer and the whole thing works like a charm,
but
unfortunately I assumed my hosting provider would let me run the (little and
harmless) exe, and they won't.
Therefore I have to run only the "exe" portion of the code in another web
server and send
back the output to my website on the net.

I'd like to get some feedback on what would
be the best way to call an exe on another server, and to have the output
sent back.

Any help is appreciated. Thanks in advance.


 
Reply With Quote
 
 
 
 
Steven Burn
Guest
Posts: n/a
 
      05-07-2005
1. Make sure you've set a security proc on the server that CAN run the exe, to prevent unauthorised servers running it (e.g. a security key or whatever that will be passed from one to the other)
2. Stick ALL of the code that runs the exe, into a file on the server that can run the exe
3. Use the XMLHTTP object to run the asp page on the other server, and to return the results.

Thats my thoughts on it anyway....

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

"joe" <(E-Mail Removed)> wrote in message newsI6fe.25248$(E-Mail Removed). ..
> I've made an ASP page that calls a small executable and collects its
> text output into a variable ("strExeOut") below. Below is some code similar
> to the one I use for that purpose.
>
> strExe = "C:\whatever\myprogram.exe -h1 -d33"
>
> Set objShell = CreateObject("WScript.Shell")
> Set objScriptExec = objShell.Exec(strExe)
> strExeOut = objScriptExec.StdOut.ReadAll
>
> I developed this in my own computer and the whole thing works like a charm,
> but
> unfortunately I assumed my hosting provider would let me run the (little and
> harmless) exe, and they won't.
> Therefore I have to run only the "exe" portion of the code in another web
> server and send
> back the output to my website on the net.
>
> I'd like to get some feedback on what would
> be the best way to call an exe on another server, and to have the output
> sent back.
>
> Any help is appreciated. Thanks in advance.
>
>


 
Reply With Quote
 
 
 
 
joe
Guest
Posts: n/a
 
      05-08-2005
Steven:

Thank you. So far the method is working. I still haven't dealt with the
security aspect, as I am a bit ignorant of the administration of IIS. Does
it matter that the exe doesn't really do anything except to output some
text? What are the risks, besides someone issuing XMLHTTP calls to the page
where the WScript.Shell Object is used, and retrieving its output? Sorry if
my question is too newbie-like.



 
Reply With Quote
 
Steven Burn
Guest
Posts: n/a
 
      05-08-2005
It depends on what the text contains.... but personally I'd be inclined to protect it regardless (I always tend to err on the side of paranoia).

Executables, as with anything else, use resources, so allowing someone else to access the file could (in theory) allow them to bombard the page with requests, causing your server to crash (could also happen with regular web-files though, it's not an issue thats restricted to certain file types).

I don't actually run exe's on the server so don't know the in's and out's where the security aspect is concerned though, you'll have to wait for one of the experts to come along and advise you on this one.

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

"joe" <(E-Mail Removed)> wrote in message news:z_qfe.3151$(E-Mail Removed)...
> Steven:
>
> Thank you. So far the method is working. I still haven't dealt with the
> security aspect, as I am a bit ignorant of the administration of IIS. Does
> it matter that the exe doesn't really do anything except to output some
> text? What are the risks, besides someone issuing XMLHTTP calls to the page
> where the WScript.Shell Object is used, and retrieving its output? Sorry if
> my question is too newbie-like.
>
>
>


 
Reply With Quote
 
Mark J. McGinty
Guest
Posts: n/a
 
      05-08-2005

"Steven Burn" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
It depends on what the text contains.... but personally I'd be inclined to
protect it regardless (I always tend to err on the side of paranoia).
>>>>

Executables, as with anything else, use resources, so allowing someone else
to access the file could (in theory) allow them to bombard the page with
requests, causing your server to crash (could also happen with regular
web-files though, it's not an issue thats restricted to certain file types).

I don't actually run exe's on the server so don't know the in's and out's
where the security aspect is concerned though, you'll have to wait for one
of the experts to come along and advise you on this one.
<<<<<


The security risk is that it is much much more difficult to restrict an EXE
that it is to restrict the actions of a script. An EXE has the whole Win32
API available to it, it can manipilate ACEs and process tokens, it can call
LoginUser as part of a brute-force password attack, it can explicitly
allocate large chunks of memory -- there is no stopping even an uninspired
C++ programmer from crashing the system on purpose if s/he wants to, and you
allow his/her EXE to run.

Bottom line, the system is almost infinitely more vulnerable to rogue code
in an EXE, even if it's accidental, than it is to script.


-Mark



--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

"joe" <(E-Mail Removed)> wrote in message
news:z_qfe.3151$(E-Mail Removed)...
> Steven:
>
> Thank you. So far the method is working. I still haven't dealt with the
> security aspect, as I am a bit ignorant of the administration of IIS. Does
> it matter that the exe doesn't really do anything except to output some
> text? What are the risks, besides someone issuing XMLHTTP calls to the
> page
> where the WScript.Shell Object is used, and retrieving its output? Sorry
> if
> my question is too newbie-like.
>
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Object creation - Do we really need to create a parent for a derieved object - can't the base object just point to an already created base object jon wayne C++ 9 09-22-2005 02:06 AM
Error !Object reference not set to an instance of an object. !!! Help Parthiv Joshi ASP .Net 2 07-02-2004 10:28 AM
Help! Web Service + XML Object Representatino vs. Real Object Arthur Mnev ASP .Net 0 02-02-2004 06:14 AM
HELP: Object reference not set to an instance of an object Tee ASP .Net 5 12-02-2003 07:21 PM
HELP! Error Loading ASPX : Object Reference not set to an instance object Pedro Correia ASP .Net 0 07-25-2003 10:42 AM



Advertisments