Loading an ActiveX DLL is superslow

[Jaime Palli]

I have developed a Visual Basic 6.0 ActiveX DLL to help to interact with
some ASP pages.
I have copied the compiled DLL in C:\INETPUB\WWWROOT in my XP Pro machine.
After making some configuracion changes for solving the problems with the
message:

Server object error 'ASP 0178 : 80070005'
Server.CreateObject Access Error
The call to Server.CreateObject failed while checking permissions. Access is
denied to this object.

Basically, the changes were:
1. In IIS configuration check "Anonimous access"., Application protection
in "Low", Execution permissions, "Commands and executables."
2. Use CACLS to give the user IUSR_<computername> full access to
MSVBVM60.DLL

Now I see that when I call the ASP page that uses the ActiveX DLL, in
Internet Explorer 6, it lasts about 5 minutes before I get the results.
After this first time, the response time is as usual.

Why this first loading is so slow, and how can I correct it ?

 

[Anthony Jones]

I have developed a Visual Basic 6.0 ActiveX DLL to help to interact with
some ASP pages.
I have copied the compiled DLL in C:\INETPUB\WWWROOT in my XP Pro machine.
After making some configuracion changes for solving the problems with the
message:

Server object error 'ASP 0178 : 80070005'
Server.CreateObject Access Error
The call to Server.CreateObject failed while checking permissions. Access is
denied to this object.

Basically, the changes were:
1. In IIS configuration check "Anonimous access"., Application protection
in "Low", Execution permissions, "Commands and executables."
2. Use CACLS to give the user IUSR_<computername> full access to
MSVBVM60.DLL

Now I see that when I call the ASP page that uses the ActiveX DLL, in
Internet Explorer 6, it lasts about 5 minutes before I get the results.
After this first time, the response time is as usual.

Why this first loading is so slow, and how can I correct it ?

Does the Sub Main do anything?
Does the DLL make DB connections?

 

[Jaime Palli]

After further investigation with SysInternal's filemon program, I have seen
that the problem was in the permissions of the user IUSR_<computername> over
some folder where a log file is written. Assigning permissions for this user
to the folder solved the problem.

I have some more questions about security:

Basically the system is composed of two components: a very simple .asp page
that serves as an interface to a Visual Basic 6.0 ActiveX dll.
The asp page does the following:

Set oWD = Server.CreateObject("AmWebDLL.clsWebDLL")
sData=oWD.GetData(Request.QueryString("action"),Request.QueryString("data"),Request.QueryString("param"))
Response.Write sData

The dll reads and writes records to an Access database, located outside the
public web folders, and writes log information to a .txt file located in the
public web folder.
The folder where the database resides has other company internal programs
and databases.
As the IUSR_<computername> must have read and write permissions over the
internal folder, my question is about to know if this is a security leakage.
Does this model expose the internal folder to outside users and hackers?

 

[Anthony Jones]

After further investigation with SysInternal's filemon program, I have seen
that the problem was in the permissions of the user IUSR_<computername> over
some folder where a log file is written. Assigning permissions for this user
to the folder solved the problem.

I have some more questions about security:

Basically the system is composed of two components: a very simple .asp page
that serves as an interface to a Visual Basic 6.0 ActiveX dll.
The asp page does the following:

Set oWD = Server.CreateObject("AmWebDLL.clsWebDLL")
sData=oWD.GetData(Request.QueryString("action"),Request.QueryString("data"),
Request.QueryString("param"))
Response.Write sData

The dll reads and writes records to an Access database, located outside the
public web folders, and writes log information to a .txt file located in the
public web folder.
The folder where the database resides has other company internal programs
and databases.
As the IUSR_<computername> must have read and write permissions over the
internal folder, my question is about to know if this is a security leakage.
Does this model expose the internal folder to outside users and hackers?

Unless the folder where the database resides is placed in somewhere that can
be accessed via a URL then a hacker can't simply form a URL to fetch it.

However you should be careful about how you create SQL code by using
parameterised queries and not concatenating any values received from the
client into a SQL string.

BTW how big might the content of the querystring values become?

 

[Jaime Palli]

This is the main reason I have tought in using the dll, controlling
parameters.
As far as I can, I try to control what information is coming in the
parameters, and reject anything else.
The parameters that come to the dll from the client are simple, they are not
SQL queries, and they are not appended to internal dll SQL queries.
Therefore I can control the maximum length of what is coming.
Thanks

 

[Anthony Jones]

This is the main reason I have tought in using the dll, controlling
parameters.
As far as I can, I try to control what information is coming in the
parameters, and reject anything else.
The parameters that come to the dll from the client are simple, they are not
SQL queries, and they are not appended to internal dll SQL queries.

Thats good.

Therefore I can control the maximum length of what is coming.

You can't control the maximum length of what is coming in. However it is
possible to reasonably sure that anything that would exceed the maximum size
of a URL would not be valid anyway.