Protect bin folder from direct download

Discussion in 'ASP .Net' started by Pavils Jurjans, Apr 29, 2004.

  1. Hello,

    My ASP.NET hoster has made a separate folder in my hosting space and
    configured it as separate application in IIS. Further, I created "bin"
    folder in this directory, and put in my aspx pages that all use code-behind.
    All works fine, but I was dismayed finding out that is is possible to write
    direct URL to an assembly in the bin folder, and IIS would allow to download
    pure code. That's somewhat very worg, isn't it?

    What should I tell my hoster to do inorder to fix this? Actually I was
    expecting that IIS6 handles this automatically and makes the bin folder
    accessible only to CLI, and does not expose it's contents to http requests.

    Thanks,

    Pavils
    Pavils Jurjans, Apr 29, 2004
    #1
    1. Advertising

  2. Actually this is your hoster fault.
    In IIS Managment Console they should revoke read permissions from this
    folder. So IIS will not serve any file to the browser from that folder.
    Those permissions are given only through IIS Managment Console.

    Do not mistake them with file "read" permission to IIS account or ASP.NET
    account.
    IIS must be able to read the DLL and load it into the memory.

    George.


    "Pavils Jurjans" <> wrote in message
    news:%...
    > Hello,
    >
    > My ASP.NET hoster has made a separate folder in my hosting space and
    > configured it as separate application in IIS. Further, I created "bin"
    > folder in this directory, and put in my aspx pages that all use

    code-behind.
    > All works fine, but I was dismayed finding out that is is possible to

    write
    > direct URL to an assembly in the bin folder, and IIS would allow to

    download
    > pure code. That's somewhat very worg, isn't it?
    >
    > What should I tell my hoster to do inorder to fix this? Actually I was
    > expecting that IIS6 handles this automatically and makes the bin folder
    > accessible only to CLI, and does not expose it's contents to http

    requests.
    >
    > Thanks,
    >
    > Pavils
    >
    >
    George Ter-Saakov, Apr 29, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin Mitchell

    Can "bin" be changed to "cgi-bin" for asp.net

    Kevin Mitchell, Oct 19, 2003, in forum: ASP .Net
    Replies:
    3
    Views:
    790
    Wim Hollebrandse
    Oct 19, 2003
  2. William LaMartin

    _vti_cnf folder in the bin folder-- a problem?

    William LaMartin, Nov 10, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    1,679
    Oliver
    Nov 10, 2003
  3. Jon Maz
    Replies:
    12
    Views:
    4,671
    Vadim Chekan
    Jul 1, 2004
  4. Replies:
    1
    Views:
    706
    Ryan Stewart
    Mar 5, 2005
  5. anne001
    Replies:
    1
    Views:
    400
Loading...

Share This Page