Shared Hosting

Discussion in 'ASP .Net Security' started by Mike Parris, Dec 6, 2005.

  1. Mike Parris

    Mike Parris Guest

    How secure is the .net framework in a shared hosting enviroment?

    I am discussing running a .net application with a hosting company and they
    are reluctant to allow the aspnet user account write access to a folder
    within my site. They are saying that this is insecure. I believe that they
    are wrong but would like a more informed opinion.

    Is it possible for one site to access files from another site using .net?

    Is there a better way of allowing an application to write to a folder than
    giving the aspnet user write access?
     
    Mike Parris, Dec 6, 2005
    #1
    1. Advertisements

  2. Hello Mike,

    if the account has the needed ACLs - yes of course - this is possible

    give that a try:

    can you programmatically read from:
    C:\WINDOWS\Microsoft.NET\Framework\vXXX\Temporary ASP.NET Files

    this is where ASP.NET compiles the page assemblies to and copies all other
    needed assemblies

    if you can read from this directory you can compromise every ASP.NET app
    on the server

    The only effective way of isolation applications is to use partial trust.
     
    Dominick Baier [DevelopMentor], Dec 6, 2005
    #2
    1. Advertisements

  3. The other thing that is interesting is that the OP mentions the use of the
    ASPNET account. That would seem to indicate that they are using Windows
    2000 instead of 2003. That seems like a questionable thing to be doing for
    a professional hosting company.

    If they were using 2003, they could put the application in its own app pool
    and set that up to run with a specific identity easily. The app would be
    isolated from the other apps on the server at the process level.

    That approach seems to make much more sense to me.

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Dec 6, 2005
    #3
  4. Hello Joe,

    still you would have trouble isolating the temp asp.net folder...
     
    Dominick Baier [DevelopMentor], Dec 6, 2005
    #4
  5. Can you explain how the temp asp.net folder here is a problem?

    My understanding was that it is used for storage of compiled pages and such.

    If he just wants to have a specific folder within his own site set for read
    access to his app pool, would it not be possible to restrict that with an
    ACL that only allowed his particular app pool identity and disallowed the
    other IIS_WPG accounts?

    I don't have a great understanding of how the temp asp.net folder works
    though, so I'd like to understand that better.

    Thanks!

    Joe
     
    Joe Kaplan \(MVP - ADSI\), Dec 6, 2005
    #5
  6. Mike Parris

    Mike Parris Guest

    Thanks Joe. This helps.

    Just to clarify a point. The reference to the ASPNET user was from me. I
    develop on Win 2000 so I forgot to include the NETWORK SERVICE user in my
    description. In fact I believe they are using Win 2003.

    I think it fair to say that security would be better for a .net site than
    for their current other asp sites.

    Mike
     
    Mike Parris, Dec 6, 2005
    #6
  7. Security certainly can't be any worse with a .NET app than with an ASP app
    that uses the same deployment model. .NET doesn't elevate privileges or
    anything like that.

    If they are using 2003, then they could potentially create a separate app
    pool for your app (which is a good idea in general from a hosting
    perspective). If they did that, they could run your app pool under its own
    identity in order to help keep the apps isolated.

    Based on what I think Dominick was getting at, I don't think this solves the
    problem of access to the temp asp.net files directory, but from what I
    understand, it should allow your scenario securely.

    I could definitely be wrong though, so we'll see what D. has to say when he
    gets up tomorrow. :)

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Dec 7, 2005
    #7
  8. Hello Joe,

    ok :)

    in general it is dangerous to give the WP write access to the web directory.

    think of this scenario: you somehow manage to pipe data in that directory
    - e.g. text with an .aspx extension - afterwards one can execute the file
    over the browser..

    so in a shared hosting environment i can understand that the ISP sees security
    implications - it would better to have a writable dir outside of the web
    root.

    this all is only possible if the ISP has separate appPools for the app -
    which they normally don't do - because a lot of WPs suck memory and cpu out
    of the web server..

    but still then it is hard to really isolate apps on a web server - the temp
    directory is just an example that came to my mind which is often overlooked
    by ISPs -

    usually IIS_WPG has modify on the whole directory tree...this was not really
    related to the question but i thought i throw it in :) but this allows to
    download the compiled assemblies of other apps on the server - so much for
    isolation...

    in general the only way to effectively isolate apps in a shared environmen
    in partial trust - if PT is in place i would have no problems opening up
    directories for a customer - assuming the ISP understands policy....

    hope that clarifies it a bit...

    a POC for the temp dir problem:

    <%@ Page Language="C#" %>
    <%@ Import Namespace="System.Web.Configuration" %>
    <%@ Import Namespace="System.IO" %>

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

    <script runat="server">
    protected string tempDirectory
    {
    // get the location of the temp directories, if not specifically

    // configured, take the default location
    get
    {
    CompilationSection comp = (CompilationSection)
    WebConfigurationManager.GetWebApplicationSection
    ("system.web/compilation");

    if (!string.IsNullOrEmpty(comp.TempDirectory))
    return comp.TempDirectory;
    else
    return Path.Combine
    (HttpRuntime.AspInstallDirectory, "Temporary ASP.NET
    Files");
    }
    }

    // traverse sub-folders
    protected void _treeView_OnPopulate(object sender, TreeNodeEventArgs e)
    {
    string path = e.Node.Value;
    foreach (string directory in Directory.GetDirectories(path))
    {
    string name = Path.GetFileName(directory);
    TreeNode n = new TreeNode(name, e.Node.Value + "\\" + name);
    n.PopulateOnDemand = true;
    e.Node.ChildNodes.Add(n);
    }
    }

    protected void Page_Load(object sender, EventArgs e)
    {
    if (!IsPostBack)
    {
    TreeNode node = new TreeNode("temp dir", tempDirectory);
    node.PopulateOnDemand = true;
    _treeView.Nodes.Add(node);
    }
    }

    protected void _treeView_SelectedNodeChanged(object sender, EventArgs e)
    {
    _lstFiles.Items.Clear();
    foreach (string f in Directory.GetFiles(_treeView.SelectedNode.Value))
    {
    _lstFiles.Items.Add(f);
    }
    }

    // download the selected file
    protected void _btnDownload_Click(object sender, EventArgs e)
    {
    Response.AddHeader("Content-Type", "binary/octet-stream");
    Response.AddHeader(
    "Content-Disposition", string.Format("attachment; filename={0}",
    Path.GetFileName(_lstFiles.SelectedValue)));

    Response.WriteFile(_lstFiles.SelectedValue);
    Response.End();
    }
    </script>

    <html xmlns="http://www.w3.org/1999/xhtml">
    <head runat="server">
    <title>Download Assemblies of other Applications</title>
    </head>
    <body>
    <form id="form1" runat="server">
    <div>
    ASP.NET Temp Directory;
    <asp:TreeView ExpandDepth="0" runat="server" ID="_treeView"
    OnTreeNodePopulate="_treeView_OnPopulate"
    OnSelectedNodeChanged="_treeView_SelectedNodeChanged" />
    <br />
    Files:
    <br />
    <asp:ListBox runat="server" ID="_lstFiles" Height="150px" />
    <br />
    <asp:Button runat="server" ID="_btnDownload" Text="Download"
    OnClick="_btnDownload_Click" />
    </div>
    </form>
    </body>
    </html>


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com
     
    Dominick Baier [DevelopMentor], Dec 7, 2005
    #8
  9. Mike Parris

    Mike Parris Guest

    Thanks Dominick and Joe

    Your replies have cetainly improved my understanding of the subject and I am
    sure will be useful in the future.

    My client's Hosting company have however told me to go away, or words to
    that effect, but not so nicely put. So I will have to create a solution for
    my client that does not require .net at the server end.



     
    Mike Parris, Dec 7, 2005
    #9
  10. Hello Mike,

    how about using a dedicated server - they are not that much expensive and
    you are your own admin??

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com
     
    Dominick Baier [DevelopMentor], Dec 8, 2005
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.