Security issues with Asp.Net in Shared Hosting Environments

Discussion in 'ASP .Net Security' started by Dinis Cruz, Oct 30, 2003.

  1. Dinis Cruz

    Dinis Cruz Guest

    Dear Asp.Net Security Community

    Over the last couple of months I have posted several items in the
    official Asp.Net website (www.asp.net) related to the security
    problems that occur when Asp.Net is used in shared hosting
    environments (such as ISPs, Asp.Net developers and companies that
    manage/host several websites in their servers).

    The objective of this email is to consolidate all this information in
    one single point:

    1) for us, it all started with our "Security guide for ISPs
    providing Windows-based Shared Hosting Services"
    (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=249624)

    2) then we created and released an Open Source web application to
    test the security configuration of servers hosting Asp.Net websites -
    the Asp.Net Security Analyser (ANSA) - which is published in GotDotNet
    (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=360023)

    3) Following the release of this tool, we started a public
    discussion on what we considered to be serious problems that needed to
    be addressed:
    a) "Asp.Net.Vulnerability: Full Trust (current security problems
    and possible solutions)"
    (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368663)
    b) "Asp.Net.Vulnerability: Win32 API calls (potential security
    problems)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368686)
    c) "Asp.Net.Vulnerability: Asp.Net buffer overflows (potential
    security problems)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=369016)

    4) When (as a reply to one of the "Asp.Net vulnerabilities" posts)
    we where advised to talk first to Microsoft before publishing this
    information publicly, we decided to write the story (so far) of our
    email exchange with several Microsoft employees and Microsoft Security
    Response Center: "When will Microsoft take Asp.Net Security seriously?
    " (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=370723)

    5) Meanwhile we where continuing to work on a solution for the 'Full
    Trust' problem and posted:

    a) some ideas on how to tackle the problem: "Idea to solve the
    current shared hosting ‘Full trust' issue."
    (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=371761)

    b) a 'proof of concept' example on one of the proposed solutions:
    "FSO in ‘Medium trust' environments"
    (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380247)

    6) Finally we wrote two articles (soon to be published) that explain
    these problems with more detail, and say what we think Microsoft
    should be doing to solve this problems and make Asp.Net a secure
    platform for the development of secure web applications

    a) "Microsoft must deliver 'secure environments' not tools to
    write 'secure code' - draft article"
    (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379852)

    b) "'An 'Asp.Net' accident waiting to happen" - draft article"
    (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379837)

    Our next steps will be the release of a new version of ANSA and
    continue working on the proposed solution for the 'Full Trust' problem
    (when we have more solid data we will release a white paper called
    "living in a Asp.Net 'Partially Trusted' world'" which will provide
    more details about how this can be successfully achieved with the
    requirements of today's Asp.Net developers).

    Best regards

    Dinis Cruz
    ..NET Security Consultant
    DDPlus (www.ddplus.net)
    Dinis Cruz, Oct 30, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    470
  2. Robert Dailey

    subprocess & shared environments

    Robert Dailey, May 1, 2009, in forum: Python
    Replies:
    4
    Views:
    842
    Gabriel Genellina
    May 5, 2009
  3. Andrea Pichler

    ASP.Net shared hosting & security

    Andrea Pichler, Sep 19, 2003, in forum: ASP .Net Security
    Replies:
    1
    Views:
    134
    richlm
    Sep 19, 2003
  4. Jay Levitt
    Replies:
    3
    Views:
    131
    Robert Klemme
    May 9, 2006
  5. teo1991
    Replies:
    0
    Views:
    524
    teo1991
    Apr 2, 2009
Loading...

Share This Page