Issues in locking down aspnet user security in shared environment

Discussion in 'ASP .Net' started by John Dalberg, Oct 6, 2003.

  1. John Dalberg

    John Dalberg Guest

    I am trying to lock down file access of some sites in a shared hosting
    environment so that different users can only access their own site's
    directory with their asp.net code. However there's a problem with some
    aspnet user access.

    [I enabled identity impersonate in machine.config and made allowoveride =
    false.]

    After some experimenting with ntfs permissions, I noticed that any asp.net
    enabled site *must* have asp.net user have read access on the folder above
    the application folder plus have read access to the web.config file,
    regardless whether the site is impersonating another user.

    This means any asp.net site can list the files of any other asp.net enabled
    site plus read someone else's web config file which might contain sensitive
    non encrypted settings.

    Does anyone see a security hole in this security model? In some cases you
    can display or even download files by just looking at someone else's site
    folder and typing the url + filename in a browser. Like an .mdb file if the
    user didn't password protect their sensitive folder.

    How can I plug this hole with better lockdown? I was going to look at the
    <location.. > tag and trust levels and see if they help.
    Is there any whitepaper on how to very securely lockdown asp.net sites in a
    shared environment?

    Thanks.

    John
     
    John Dalberg, Oct 6, 2003
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.