Hosting security

Discussion in 'ASP .Net Security' started by Alain, Oct 8, 2003.

  1. Alain

    Alain Guest

    Hello.

    This is probably a well knows issue but I still cannot find a
    solution.

    I have noticed that it is possible to read web.config files inside
    other directories on the same server simply opening them using a aspx
    script.
    This could allow my users to steal each other username and passwords.

    What is the correct way to handle this problem?

    Thanks
    Alain, Oct 8, 2003
    #1
    1. Advertising

  2. First of all, it's best to encrypt your passwords in some way. Even better
    is to store them in a database somewhere. The asp.net runtime will not post
    a .config file back to the user, but it is vulnerable to being read by an
    aspx script, which is intentional. If your server scripts couldn't read the
    configuration, then the configuration wouldn't be very valuable. So, the
    obvious solution is to not give your users access to drop their own scripts
    onto your server - why would you have something like this enabled in the
    first place?

    --
    Chris Jackson
    Software Engineer
    Microsoft MVP - Windows XP
    Windows XP Associate Expert
    --
    "Alain" <> wrote in message
    news:...
    > Hello.
    >
    > This is probably a well knows issue but I still cannot find a
    > solution.
    >
    > I have noticed that it is possible to read web.config files inside
    > other directories on the same server simply opening them using a aspx
    > script.
    > This could allow my users to steal each other username and passwords.
    >
    > What is the correct way to handle this problem?
    >
    > Thanks
    Chris Jackson, Oct 8, 2003
    #2
    1. Advertising

  3. Alain

    Alain Guest

    > First of all, it's best to encrypt your passwords in some way. Even better
    > is to store them in a database somewhere. The asp.net runtime will not post
    > a .config file back to the user, but it is vulnerable to being read by an
    > aspx script, which is intentional.


    I know its intentional. That is exactly the problem.

    > why would you have something like this enabled in the
    > first place?


    I work for a little service provider. Some of the user require the
    possibility to run dynamic applications.
    In the past the company relied on COM+ objects which loaded
    configurations from external udl files. The udl files were not
    readable in any way by the users.
    Alain, Oct 9, 2003
    #3
  4. Alain

    Lauchlan M Guest

    > This is probably a well knows issue but I still cannot find a
    > solution.
    >
    > I have noticed that it is possible to read web.config files inside
    > other directories on the same server simply opening them using a aspx
    > script.
    > This could allow my users to steal each other username and passwords.


    In addition to the suggestion of encrypting username and passwords in the
    web.config file, don't put them in the web.config file, but store them in a
    database, and have the database password protected.

    Lauchlan M
    Lauchlan M, Oct 9, 2003
    #4
  5. If your users have the ability to drop executable code in the same
    application directory, there isn't much you can do. Anything that your
    application can use to decrypt, their application can use to decrypt. Your
    only hope is security through obscurity, which is not security at all. You
    could try using the aspnet_setreg tool to encrypt, and you can try using a
    database connection (which, if your application can use it, theirs can too)
    so it's not quite as obvious, but what you are describing is a truly
    unsecurable scenario that needs to be rearchitected. You may want to
    consider using Windows authentication, if that is an option.

    --
    Chris Jackson
    Software Engineer
    Microsoft MVP - Windows XP
    Windows XP Associate Expert
    --
    "Alain" <> wrote in message
    news:...
    > > First of all, it's best to encrypt your passwords in some way. Even

    better
    > > is to store them in a database somewhere. The asp.net runtime will not

    post
    > > a .config file back to the user, but it is vulnerable to being read by

    an
    > > aspx script, which is intentional.

    >
    > I know its intentional. That is exactly the problem.
    >
    > > why would you have something like this enabled in the
    > > first place?

    >
    > I work for a little service provider. Some of the user require the
    > possibility to run dynamic applications.
    > In the past the company relied on COM+ objects which loaded
    > configurations from external udl files. The udl files were not
    > readable in any way by the users.
    Chris Jackson, Oct 9, 2003
    #5
  6. Alain

    Dinis Cruz Guest

    Dear Alain

    The problems that you are describing are very real and Asp.Net by
    default is vulnerable to them

    The solution is to implement website isolation as described in this
    article: "http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/plan/appisoa.asp"

    I would also call to your attention the new Open source Security tool
    that we (in ddplus)have published which allow you to test your server
    agaist these (and other) security problems.

    See this post for more details on ANSA (Asp.Net Security Analyser)
    "http://groups.google.com/groups?q=asp.net+security+group:microsoft.public.dotnet.framework.aspnet.security&hl=en&lr=&ie=UTF-8&oe=UTF-8&group=microsoft.public.dotnet.framework.aspnet.security&selm=701fd6b6.0310072039.5820b34c%40posting.google.com&rnum=2"
    or go directly to it's GotDotNet workspace:
    "http://www.gotdotnet.com/Community/Workspaces/workspace.aspx?id=36ae9a2c-8740-4b52-924e-320edf64fba5"

    Hope this helps

    Best regards

    Dinis Cruz
    ..Net Security Consultant
    DDPlus (www.ddplus.net)

    (Alain) wrote in message news:<>...
    > Hello.
    >
    > This is probably a well knows issue but I still cannot find a
    > solution.
    >
    > I have noticed that it is possible to read web.config files inside
    > other directories on the same server simply opening them using a aspx
    > script.
    > This could allow my users to steal each other username and passwords.
    >
    > What is the correct way to handle this problem?
    >
    > Thanks
    Dinis Cruz, Oct 10, 2003
    #6
  7. Alain

    Alain Guest

    Thanks Dinis!
    Thas it exactly what I was looking for.
    Alain, Oct 10, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Remi Delon
    Replies:
    0
    Views:
    800
    Remi Delon
    Jan 19, 2005
  2. Aravapalli

    Web Hosting - reseller hosting

    Aravapalli, Dec 20, 2007, in forum: HTML
    Replies:
    8
    Views:
    488
    Chaddy2222
    Dec 21, 2007
  3. Replies:
    0
    Views:
    630
  4. Replies:
    0
    Views:
    462
  5. teo1991
    Replies:
    0
    Views:
    573
    teo1991
    Apr 2, 2009
Loading...

Share This Page