WebApp Sec mailing list archives
Re: Security issues with Asp.Net in Shared Hosting Environments
From: Mark Burnett <mb () xato net>
Date: Fri, 31 Oct 2003 21:51:22 -0700
I have read several of your articles, e-mails, and usenet posts and while the facts are correct, I'm not really clear what you expect to happen.
From what I understand, you want:
- Full trust features made available to web site operators in a shared hosting environment who are not fully trusted. - Little or no extra effort on the developer's part to make it run in a partial trust environment. - The developers shouldn't have to operate their own server to be able to run trusted code. You state that the .NET framework does not allow the creation of secure hosting environments unless one is prepared to develop partially trusted web applications. This is true and precisely the reason Microsoft created the concept of partial trust. Of course you can't do everything with partial trust because the hosting company doesn't fully trust you. If a hosting company is willing to grant everyone full trust, that is their own security problem and certainly not a flaw of ASP.NET. It would be absurd if a hosting company running classic ASP allowed all customers to install their own COM objects and ISAPI applications. Further, many of the things you talk about can be restricted in other ways. When I run your ANSA application against any of my servers using my standard build procedure, ALL of the tests fail, not just because of my ASP.NET configuration, but because I take the proper steps in securing the file system, the registry, WSH, FSO WMI, etc. You really can't expect a hosting company to fully trust you. The real issue here is a balance of security vs. features and is one that exists for all platforms. The other issues are knowing how to properly secure a server and properly write code that will run on a secure server. You have made several points in your articles, but it seems like you are shifting the burden of this onto Microsoft. But its not clear what you are asking them to do. What do you see as the solution to all this? Are you saying they have the wrong security/features balance? Mark Burnett On Thu, 30 Oct 2003 23:17:29 -0000, Dinis Cruz wrote:
Hello Over the last couple of months I have posted several items in the official Asp.Net website (www.asp.net) related to the security problems that occur when Asp.Net is used in shared hosting environments (such as ISPs, Asp.Net developers and companies that manage/host several websites in their servers). The objective of this email is to consolidate all this information in one single point: 1) for us, it all started with our "Security guide for ISPs providing Windows-based Shared Hosting Services" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=249624) 2) then we created and released an Open Source web application to test the security configuration of servers hosting Asp.Net websites - the Asp.Net Security Analyser (ANSA) - which is published in GotDotNet (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=360023) 3) Following the release of this tool, we started a public discussion on what we considered to be serious problems that needed to be addressed: a) "Asp.Net.Vulnerability: Full Trust (current security problems and possible solutions)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368663) b) "Asp.Net.Vulnerability: Win32 API calls (potential security problems)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368686) c) "Asp.Net.Vulnerability: Asp.Net buffer overflows (potential security problems)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=369016) 4) When (as a reply to one of the "Asp.Net vulnerabilities" posts) we where advised to talk first to Microsoft before publishing this information publicly, we decided to write the story (so far) of our email exchange with several Microsoft employees and Microsoft Security Response Center: "When will Microsoft take Asp.Net Security seriously? " (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=370723) 5) Meanwhile we where continuing to work on a solution for the 'Full Trust' problem and posted: a) some ideas on how to tackle the problem: "Idea to solve the current shared hosting 'Full trust' issue." (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=371761) b) a 'proof of concept' example on one of the proposed solutions: "FSO in 'Medium trust' environments" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380247) 6) Finally we wrote two articles (soon to be published) that explain these problems with more detail, and say what we think Microsoft should be doing to solve this problems and make Asp.Net a secure platform for the development of secure web applications a) "Microsoft must deliver 'secure environments' not tools to write 'secure code' - draft article" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379852) b) "'An 'Asp.Net' accident waiting to happen" - draft article" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379837) Our next steps will be the release of a new version of ANSA and continue working on the proposed solution for the 'Full Trust' problem (when we have more solid data we will release a white paper called "living in a Asp.Net 'Partially Trusted' world'" which will provide more details about how this can be successfully achieved with the requirements of today's Asp.Net developers). Best regards Dinis Cruz .NET Security Consultant DDPlus (www.ddplus.net) Note: We also posted a query for 'real life' examples of web applications developed and deployed in 'Partially Trust' Environments ("examples of 'Medium' or 'high' trust Asp.Net applications" - http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380468), but haven't received any feedback. If you know of examples we would be very appreciated if you give provide us (and the Asp.Net community) feedback and 'real life' knowledge.
Current thread:
- Security issues with Asp.Net in Shared Hosting Environments Dinis Cruz (Oct 30)
- Re: Security issues with Asp.Net in Shared Hosting Environments Mark Burnett (Nov 01)
- RE: Security issues with Asp.Net in Shared Hosting Environments Dinis Cruz (Nov 03)
- RE: Security issues with Asp.Net in Shared Hosting Environments Mark Burnett (Nov 03)
- RE: Security issues with Asp.Net in Shared Hosting Environments Dinis Cruz (Nov 03)
- Re: Security issues with Asp.Net in Shared Hosting Environments Mark Burnett (Nov 01)