Browsers can download assemblies directly from my website's /bin d

Discussion in 'ASP .Net Security' started by HosedIfSomeoneBadFiguresOutWhoIAm, Jul 1, 2004.

  1. Microsoft: If you email my passport account directly, I can give more detailed info & a telephone number to reach me.

    I've found that browsers can download dll's directly from my website's bin dir.
    In the following examples I've replaced my actual company name with "Mydomain" or "Mycode" etc. to protect my website.

    For example, all they need to do is type:
    http://Mydomain.com/bin/Some.Web.dll
    into the IE address bar.

    For me, this is very bad. It means that an attacker could simply grab assemblies and use .NET Reflector to determine the code. In my case I issue product registration updates through ASP.NET, with the expectation that a user cannot simply find and download the assembly w/ the code to sign the registrations!

    Now this only happens with my website hosted through my ISP (I contacted them for help). If I test the same config on a machine at home, it won't let me download the assemblies.

    I looked in the web logs and found the following (again, I've replaced my actual website/assembly names to protect my website)
    Note that it only let me have the assembly once (HTTP 200 OK). Subsequent requests returned HTTP 404 (Not found). It never returns the expected response HTTP 403.2 (Read access forbidden).

    2004-07-01 02:01:41 216.55.191.221 /bin/MyCode.Web.dll - 80 - 67.40.221.149 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) - MyCode-tech.com 200 0 28974
    2004-07-01 02:24:27 216.55.191.221 /bin/MyCode.Web.dll - 80 - 67.40.221.149 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - MyCode-tech.com 404 0 1830
    2004-07-01 02:24:32 216.55.191.221 /bin/MyCode.Web.dll - 80 - 67.40.221.149 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - MyCode-tech.com 404 0 1830

    Any ideas? This is very bad for me!!

    Sincerely,
    HosedIfSomeoneBadFiguresOutWhoIAm
    HosedIfSomeoneBadFiguresOutWhoIAm, Jul 1, 2004
    #1
    1. Advertising

  2. HosedIfSomeoneBadFiguresOutWhoIAm

    [MSFT] Guest

    Hello,

    Thank you for the information. Regarding the issue, as you have seen,
    ASP.NET will deny the request the DLL files by default. In ASP.NET, all
    request will be handled by HttpHanlders, if it find the request is to a
    DLL, it will denied it. I think the main problem should be related to the
    configurations of your ISP on their IIS server. They may do some "bad"
    things on the security settings. We may wait for their response and see
    what was going on there. With these information, we can determine if this
    is a secury hole.

    Regards,

    Luke
    [MSFT], Jul 1, 2004
    #2
    1. Advertising

  3. HosedIfSomeoneBadFiguresOutWhoIAm

    [MSFT] Guest

    RE: Browsers can download assemblies directly from /bin

    Yes, the default error should be HTTP Error 403.2 - "Forbidden: Read access
    is denied.". It seems they still use some customized configurations. Maybe
    you need to reminder them about this.

    Luke
    [MSFT], Jul 2, 2004
    #3
  4. HosedIfSomeoneBadFiguresOutWhoIAm

    [MSFT] Guest

    RE: Browsers can download assemblies directly from /bin

    Hello,

    Any update from the ISP? Is the problem fixed?

    Luke
    [MSFT], Jul 6, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin Mitchell

    Can "bin" be changed to "cgi-bin" for asp.net

    Kevin Mitchell, Oct 19, 2003, in forum: ASP .Net
    Replies:
    3
    Views:
    815
    Wim Hollebrandse
    Oct 19, 2003
  2. =?Utf-8?B?QnJpYW4gUGVhcnNvbg==?=

    use something other than "\bin" for local assemblies

    =?Utf-8?B?QnJpYW4gUGVhcnNvbg==?=, Jan 13, 2005, in forum: ASP .Net
    Replies:
    4
    Views:
    1,857
    Scott Allen
    Jan 14, 2005
  3. Replies:
    2
    Views:
    492
  4. Boris
    Replies:
    1
    Views:
    438
    Boris
    Jun 15, 2006
  5. anne001
    Replies:
    1
    Views:
    440
Loading...

Share This Page