Help with WScript.Shell Object

Discussion in 'ASP General' started by joe, May 7, 2005.

  1. joe

    joe Guest

    I've made an ASP page that calls a small executable and collects its
    text output into a variable ("strExeOut") below. Below is some code similar
    to the one I use for that purpose.

    strExe = "C:\whatever\myprogram.exe -h1 -d33"

    Set objShell = CreateObject("WScript.Shell")
    Set objScriptExec = objShell.Exec(strExe)
    strExeOut = objScriptExec.StdOut.ReadAll

    I developed this in my own computer and the whole thing works like a charm,
    but
    unfortunately I assumed my hosting provider would let me run the (little and
    harmless) exe, and they won't.
    Therefore I have to run only the "exe" portion of the code in another web
    server and send
    back the output to my website on the net.

    I'd like to get some feedback on what would
    be the best way to call an exe on another server, and to have the output
    sent back.

    Any help is appreciated. Thanks in advance.
     
    joe, May 7, 2005
    #1
    1. Advertising

  2. joe

    Steven Burn Guest

    1. Make sure you've set a security proc on the server that CAN run the exe, to prevent unauthorised servers running it (e.g. a security key or whatever that will be passed from one to the other)
    2. Stick ALL of the code that runs the exe, into a file on the server that can run the exe
    3. Use the XMLHTTP object to run the asp page on the other server, and to return the results.

    Thats my thoughts on it anyway....

    --
    Regards

    Steven Burn
    Ur I.T. Mate Group
    www.it-mate.co.uk

    Keeping it FREE!

    "joe" <> wrote in message news:xI6fe.25248$...
    > I've made an ASP page that calls a small executable and collects its
    > text output into a variable ("strExeOut") below. Below is some code similar
    > to the one I use for that purpose.
    >
    > strExe = "C:\whatever\myprogram.exe -h1 -d33"
    >
    > Set objShell = CreateObject("WScript.Shell")
    > Set objScriptExec = objShell.Exec(strExe)
    > strExeOut = objScriptExec.StdOut.ReadAll
    >
    > I developed this in my own computer and the whole thing works like a charm,
    > but
    > unfortunately I assumed my hosting provider would let me run the (little and
    > harmless) exe, and they won't.
    > Therefore I have to run only the "exe" portion of the code in another web
    > server and send
    > back the output to my website on the net.
    >
    > I'd like to get some feedback on what would
    > be the best way to call an exe on another server, and to have the output
    > sent back.
    >
    > Any help is appreciated. Thanks in advance.
    >
    >
     
    Steven Burn, May 7, 2005
    #2
    1. Advertising

  3. joe

    joe Guest

    Steven:

    Thank you. So far the method is working. I still haven't dealt with the
    security aspect, as I am a bit ignorant of the administration of IIS. Does
    it matter that the exe doesn't really do anything except to output some
    text? What are the risks, besides someone issuing XMLHTTP calls to the page
    where the WScript.Shell Object is used, and retrieving its output? Sorry if
    my question is too newbie-like.
     
    joe, May 8, 2005
    #3
  4. joe

    Steven Burn Guest

    It depends on what the text contains.... but personally I'd be inclined to protect it regardless (I always tend to err on the side of paranoia).

    Executables, as with anything else, use resources, so allowing someone else to access the file could (in theory) allow them to bombard the page with requests, causing your server to crash (could also happen with regular web-files though, it's not an issue thats restricted to certain file types).

    I don't actually run exe's on the server so don't know the in's and out's where the security aspect is concerned though, you'll have to wait for one of the experts to come along and advise you on this one.

    --
    Regards

    Steven Burn
    Ur I.T. Mate Group
    www.it-mate.co.uk

    Keeping it FREE!

    "joe" <> wrote in message news:z_qfe.3151$...
    > Steven:
    >
    > Thank you. So far the method is working. I still haven't dealt with the
    > security aspect, as I am a bit ignorant of the administration of IIS. Does
    > it matter that the exe doesn't really do anything except to output some
    > text? What are the risks, besides someone issuing XMLHTTP calls to the page
    > where the WScript.Shell Object is used, and retrieving its output? Sorry if
    > my question is too newbie-like.
    >
    >
    >
     
    Steven Burn, May 8, 2005
    #4
  5. "Steven Burn" <> wrote in message
    news:...
    It depends on what the text contains.... but personally I'd be inclined to
    protect it regardless (I always tend to err on the side of paranoia).
    >>>>

    Executables, as with anything else, use resources, so allowing someone else
    to access the file could (in theory) allow them to bombard the page with
    requests, causing your server to crash (could also happen with regular
    web-files though, it's not an issue thats restricted to certain file types).

    I don't actually run exe's on the server so don't know the in's and out's
    where the security aspect is concerned though, you'll have to wait for one
    of the experts to come along and advise you on this one.
    <<<<<


    The security risk is that it is much much more difficult to restrict an EXE
    that it is to restrict the actions of a script. An EXE has the whole Win32
    API available to it, it can manipilate ACEs and process tokens, it can call
    LoginUser as part of a brute-force password attack, it can explicitly
    allocate large chunks of memory -- there is no stopping even an uninspired
    C++ programmer from crashing the system on purpose if s/he wants to, and you
    allow his/her EXE to run.

    Bottom line, the system is almost infinitely more vulnerable to rogue code
    in an EXE, even if it's accidental, than it is to script.


    -Mark



    --
    Regards

    Steven Burn
    Ur I.T. Mate Group
    www.it-mate.co.uk

    Keeping it FREE!

    "joe" <> wrote in message
    news:z_qfe.3151$...
    > Steven:
    >
    > Thank you. So far the method is working. I still haven't dealt with the
    > security aspect, as I am a bit ignorant of the administration of IIS. Does
    > it matter that the exe doesn't really do anything except to output some
    > text? What are the risks, besides someone issuing XMLHTTP calls to the
    > page
    > where the WScript.Shell Object is used, and retrieving its output? Sorry
    > if
    > my question is too newbie-like.
    >
    >
    >
     
    Mark J. McGinty, May 8, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike John
    Replies:
    2
    Views:
    6,540
  2. Jesper Stocholm

    WScript.Shell and socket connection

    Jesper Stocholm, Aug 23, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    587
    Jesper Stocholm
    Aug 23, 2004
  3. Tim Golden
    Replies:
    0
    Views:
    684
    Tim Golden
    Jul 16, 2004
  4. Shawn Wheatley
    Replies:
    0
    Views:
    606
    Shawn Wheatley
    Jul 16, 2004
  5. Bill
    Replies:
    3
    Views:
    681
Loading...

Share This Page