Hosting security

Discussion in 'ASP .Net Security' started by Alain, Oct 8, 2003.

  1. Alain

    Alain Guest


    This is probably a well knows issue but I still cannot find a

    I have noticed that it is possible to read web.config files inside
    other directories on the same server simply opening them using a aspx
    This could allow my users to steal each other username and passwords.

    What is the correct way to handle this problem?

    Alain, Oct 8, 2003
    1. Advertisements

  2. First of all, it's best to encrypt your passwords in some way. Even better
    is to store them in a database somewhere. The runtime will not post
    a .config file back to the user, but it is vulnerable to being read by an
    aspx script, which is intentional. If your server scripts couldn't read the
    configuration, then the configuration wouldn't be very valuable. So, the
    obvious solution is to not give your users access to drop their own scripts
    onto your server - why would you have something like this enabled in the
    first place?
    Chris Jackson, Oct 8, 2003
    1. Advertisements

  3. Alain

    Alain Guest

    First of all, it's best to encrypt your passwords in some way. Even better
    I know its intentional. That is exactly the problem.
    I work for a little service provider. Some of the user require the
    possibility to run dynamic applications.
    In the past the company relied on COM+ objects which loaded
    configurations from external udl files. The udl files were not
    readable in any way by the users.
    Alain, Oct 9, 2003
  4. Alain

    Lauchlan M Guest

    This is probably a well knows issue but I still cannot find a
    In addition to the suggestion of encrypting username and passwords in the
    web.config file, don't put them in the web.config file, but store them in a
    database, and have the database password protected.

    Lauchlan M
    Lauchlan M, Oct 9, 2003
  5. If your users have the ability to drop executable code in the same
    application directory, there isn't much you can do. Anything that your
    application can use to decrypt, their application can use to decrypt. Your
    only hope is security through obscurity, which is not security at all. You
    could try using the aspnet_setreg tool to encrypt, and you can try using a
    database connection (which, if your application can use it, theirs can too)
    so it's not quite as obvious, but what you are describing is a truly
    unsecurable scenario that needs to be rearchitected. You may want to
    consider using Windows authentication, if that is an option.

    Chris Jackson
    Software Engineer
    Microsoft MVP - Windows XP
    Windows XP Associate Expert
    Chris Jackson, Oct 9, 2003
  6. Alain

    Dinis Cruz Guest

    Dear Alain

    The problems that you are describing are very real and Asp.Net by
    default is vulnerable to them

    The solution is to implement website isolation as described in this
    article: ""

    I would also call to your attention the new Open source Security tool
    that we (in ddplus)have published which allow you to test your server
    agaist these (and other) security problems.

    See this post for more details on ANSA (Asp.Net Security Analyser)
    or go directly to it's GotDotNet workspace:

    Hope this helps

    Best regards

    Dinis Cruz
    ..Net Security Consultant
    DDPlus (
    Dinis Cruz, Oct 10, 2003
  7. Alain

    Alain Guest

    Thanks Dinis!
    Thas it exactly what I was looking for.
    Alain, Oct 10, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.