Full Disclosure mailing list archives
Security issues with Asp.Net in Shared Hosting Environments
From: "Dinis Cruz" <Dinis () ddplus net>
Date: Thu, 30 Oct 2003 18:04:20 -0000
Hello Over the last couple of months I have posted several items in the official Asp.Net website (www.asp.net) related to the security problems that occur when Asp.Net is used in shared hosting environments (such as ISPs, Asp.Net developers and companies that manage/host several websites in their servers). The objective of this email is to consolidate all this information in one single point: 1) for us, it all started with our "Security guide for ISPs providing Windows-based Shared Hosting Services" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=249624) 2) then we created and released an Open Source web application to test the security configuration of servers hosting Asp.Net websites - the Asp.Net Security Analyser (ANSA) - which is published in GotDotNet (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=360023) 3) Following the release of this tool, we started a public discussion on what we considered to be serious problems that needed to be addressed: a) "Asp.Net.Vulnerability: Full Trust (current security problems and possible solutions)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368663) b) "Asp.Net.Vulnerability: Win32 API calls (potential security problems)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368686) c) "Asp.Net.Vulnerability: Asp.Net buffer overflows (potential security problems)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=369016) 4) When (as a reply to one of the "Asp.Net vulnerabilities" posts) we where advised to talk first to Microsoft before publishing this information publicly, we decided to write the story (so far) of our email exchange with several Microsoft employees and Microsoft Security Response Center: "When will Microsoft take Asp.Net Security seriously? " (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=370723) 5) Meanwhile we where continuing to work on a solution for the 'Full Trust' problem and posted: a) some ideas on how to tackle the problem: "Idea to solve the current shared hosting 'Full trust' issue." (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=371761) b) a 'proof of concept' example on one of the proposed solutions: "FSO in 'Medium trust' environments" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380247) 6) Finally we wrote two articles (soon to be published) that explain these problems with more detail, and say what we think Microsoft should be doing to solve this problems and make Asp.Net a secure platform for the development of secure web applications a) "Microsoft must deliver 'secure environments' not tools to write 'secure code' - draft article" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379852) b) "'An 'Asp.Net' accident waiting to happen" - draft article" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379837) Our next steps will be the release of a new version of ANSA and continue working on the proposed solution for the 'Full Trust' problem (when we have more solid data we will release a white paper called "living in a Asp.Net 'Partially Trusted' world'" which will provide more details about how this can be successfully achieved with the requirements of today's Asp.Net developers). Best regards Dinis Cruz .NET Security Consultant DDPlus (www.ddplus.net) Note: We also posted a query for 'real life' examples of web applications developed and deployed in 'Partially Trust' Environments ("examples of 'Medium' or 'high' trust Asp.Net applications" - http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380468), but haven't received any feedback. If you know of examples we would be very appreciated if you give provide us (and the Asp.Net community) feedback and 'real life' knowledge. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Security issues with Asp.Net in Shared Hosting Environments Dinis Cruz (Oct 30)