Re: ASP Security

Joe Bissot ( )
Sun, 20 Jul 1997 12:27:26 -0700

What I do is create an ASP directory just like the cgi-bin directory. The
user can not write to it, they have to send me the asp files. There main
web site is non execute. All ASP pages have to be submitted and checked
before they are made available.

At 20:34 07/17/1997 -0700, you wrote:
>Due to the issues with allowing customers to run programs on your server,
>you might want to know just what a user can do with ASP, right out of the
>box. The first thing is that ASP is not extended NT's security model. So,
>like all server side scripts, and unlike Unix, the script is NOT run in the
>context of the user, but rather as a service..
>A user could easily make your life very difficult by using some of the
>server side object to do things that you would rather they did not do. One
>simple example is the ILS server object. I use this example since it is
>relatively harmless (Not a critical service), and does not come with NT. I
>can write a page that will make/delete users from your ILS, and not have to
>pass any security boundary. All I need is to be able to save the file on
>your server, and have the directory executable by IIS. It should be noted
>that you have to purposefully give the directory execute permission. But,
>this is no different that ALL ASP directories. What is worse, I can write
>it to do this without you ever knowing where it is coming from..
>The good thing is that it cannot be done from a remote server. It must be
>installed on your machine, and you have to grant execute permissions. Just
>make sure you know who can run stuff on your machine. There are far worse
>things a person can do with ASP if they got creative..
>Just my experience. Been there, done that..
>Brad Albrecht
>Computer Innovations Online
>Skagit Valleys' Premier Internet Service Provider
>> From: Jeremy Schertzinger <>
>> To: ''
>> Subject: RE: ASP Security
>> Date: Thursday, July 17, 1997 9:59 AM
>> The risks associated with ASP are the same as with any other server side
>> script you may run (perl, etc.). Avoid using world-writable files..
>> There are other considerations as well. Read the WWW server security
>> FAQ..
>> There's also an NT Security mailing list. To subscribe, send mail to
>> with the message body "subscribe ntsecurity
>> <>"
>> Jeremy
>> --
>> Jeremy Schertzinger
>> Nutley Systems, Inc..
>> (425) 739-8024 phone
>> (206) 559-3138 pager
>> > -----Original Message-----
>> > From: []
>> > Sent: Thursday, July 17, 1997 9:37 AM
>> > To:
>> > Subject: ASP Security
>> >
>> > Does anybody know of any security concerns with Active Server Pages
>> > that I
>> > should be aware of?
>> >
>> > While we're on the topic, any other links to information about NT
>> > security
>> > would be appreciated..
>> >
>> >
>> > Thank you,
>> >
>> > Greg White
>> > Direct NET Communications
>> >
>> >
>> > ----------------------------------------------------------
>> > NTISP Mailing List
>> ----------------------------------------------------------
>> NTISP Mailing List
> ----------------------------------------------------------
> NTISP Mailing List