Re: ASP Security

Brad Albrecht ( (no email) )
Thu, 17 Jul 1997 20:34:03 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: <É: "mail failed, returning to sender"
Next message: <Ù: "mail failed, returning to sender"
Maybe in reply to: Greg White: "ASP Security"
Next in thread: Joe Bissot: "Re: ASP Security"

Due to the issues with allowing customers to run programs on your server,
you might want to know just what a user can do with ASP, right out of the
box. The first thing is that ASP is not extended NT's security model. So,
like all server side scripts, and unlike Unix, the script is NOT run in the
context of the user, but rather as a service.

A user could easily make your life very difficult by using some of the
server side object to do things that you would rather they did not do. One
simple example is the ILS server object. I use this example since it is
relatively harmless (Not a critical service), and does not come with NT. I
can write a page that will make/delete users from your ILS, and not have to
pass any security boundary. All I need is to be able to save the file on
your server, and have the directory executable by IIS. It should be noted
that you have to purposefully give the directory execute permission. But,
this is no different that ALL ASP directories. What is worse, I can write
it to do this without you ever knowing where it is coming from.

The good thing is that it cannot be done from a remote server. It must be
installed on your machine, and you have to grant execute permissions. Just
make sure you know who can run stuff on your machine. There are far worse
things a person can do with ASP if they got creative.

Just my experience. Been there, done that.

Brad Albrecht
Computer Innovations Online
http://www.cio.net/
Skagit Valleys' Premier Internet Service Provider

----------
> From: Jeremy Schertzinger <jeremy@nutleysystems.com>
> To: 'ntisp@emerald.iea.com'
> Subject: RE: ASP Security
> Date: Thursday, July 17, 1997 9:59 AM
>
> The risks associated with ASP are the same as with any other server side
> script you may run (perl, etc.). Avoid using world-writable files.
> There are other considerations as well. Read the WWW server security
> FAQ.
>
> There's also an NT Security mailing list. To subscribe, send mail to
> majordomo@iss.net with the message body "subscribe ntsecurity
> <youremail@yourdomain.com>"
>
> Jeremy
>
> --
> Jeremy Schertzinger
> Nutley Systems, Inc.
> jeremy@nutleysystems.com
> (425) 739-8024 phone
> (206) 559-3138 pager
>
> > -----Original Message-----
> > From: whiteg@dnc.net [SMTP:whiteg@dnc.net]
> > Sent: Thursday, July 17, 1997 9:37 AM
> > To: ntisp@emerald.iea.com
> > Subject: ASP Security
> >
> > Does anybody know of any security concerns with Active Server Pages
> > that I
> > should be aware of?
> >
> > While we're on the topic, any other links to information about NT
> > security
> > would be appreciated.
> >
> >
> > Thank you,
> >
> > Greg White
> > Direct NET Communications
> >
> >
> > ----------------------------------------------------------
> > NTISP Mailing List listserver@emerald.iea.com
>
> ----------------------------------------------------------
> NTISP Mailing List listserver@emerald.iea.com

Previous message: <É: "mail failed, returning to sender"
Next message: <Ù: "mail failed, returning to sender"
Maybe in reply to: Greg White: "ASP Security"
Next in thread: Joe Bissot: "Re: ASP Security"