[VulnWatch] Security issues with Asp.Net in Shared Hosting Environments

• Previous message: _at_stake Advisories: "[VulnWatch] Mac OS X Systemic Insecure File Permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <vulnwatch@vulnwatch.org>
Date: Thu, 30 Oct 2003 18:03:35 -0000

Hello

Over the last couple of months I have posted several items in the
official Asp.Net website (www.asp.net) related to the security problems
that occur when Asp.Net is used in shared hosting environments (such as
ISPs, Asp.Net developers and companies that manage/host several websites
in their servers).

The objective of this email is to consolidate all this information in
one single point:

1) for us, it all started with our "Security guide for ISPs providing
Windows-based Shared Hosting Services"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=249624)

2) then we created and released an Open Source web application to test
the security configuration of servers hosting Asp.Net websites - the
Asp.Net Security Analyser (ANSA) - which is published in GotDotNet
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=360023)

3) Following the release of this tool, we started a public discussion on
what we considered to be serious problems that needed to be addressed:
a) "Asp.Net.Vulnerability: Full Trust (current security problems and
possible solutions)"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368663)
b) "Asp.Net.Vulnerability: Win32 API calls (potential security
problems)"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368686)
c) "Asp.Net.Vulnerability: Asp.Net buffer overflows (potential security
problems)"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=369016)

4) When (as a reply to one of the "Asp.Net vulnerabilities" posts) we
where advised to talk first to Microsoft before publishing this
information publicly, we decided to write the story (so far) of our
email exchange with several Microsoft employees and Microsoft Security
Response Center: "When will Microsoft take Asp.Net Security seriously? "
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=370723)

5) Meanwhile we where continuing to work on a solution for the 'Full
Trust' problem and posted:

a) some ideas on how to tackle the problem: "Idea to solve the current
shared hosting 'Full trust' issue."
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=371761)

b) a 'proof of concept' example on one of the proposed solutions: "FSO
in 'Medium trust' environments"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380247)

6) Finally we wrote two articles (soon to be published) that explain
these problems with more detail, and say what we think Microsoft should
be doing to solve this problems and make Asp.Net a secure platform for
the development of secure web applications

a) "Microsoft must deliver 'secure environments' not tools to write
'secure code' - draft article"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379852)

b) "'An 'Asp.Net' accident waiting to happen" - draft article"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379837)

Our next steps will be the release of a new version of ANSA and continue
working on the proposed solution for the 'Full Trust' problem (when we
have more solid data we will release a white paper called "living in a
Asp.Net 'Partially Trusted' world'" which will provide more details
about how this can be successfully achieved with the requirements of
today's Asp.Net developers).

Best regards

Dinis Cruz
.NET Security Consultant
DDPlus (www.ddplus.net)

Note: We also posted a query for 'real life' examples of web
applications developed and deployed in 'Partially Trust' Environments
("examples of 'Medium' or 'high' trust Asp.Net applications" -
http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380468), but
haven't received any feedback. If you know of examples we would be very
appreciated if you give provide us (and the Asp.Net community) feedback
and 'real life' knowledge.

• Previous message: _at_stake Advisories: "[VulnWatch] Mac OS X Systemic Insecure File Permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [Full-disclosure] I give up, no more posts to Full-Disclosure and DailyDave about Full T ... when you happen to subscribe to more than one of the target lists. ... Microsoft and Sun. ... We were discussing the security ... advantages of Sandboxing (Partial Trust in .Net and Security Manager in ... (Full-Disclosure) Re: [Full-disclosure] I give up, no more posts to Full-Disclosure and DailyDave about Full T ... when you happen to subscribe to more than one of the target lists. ... Microsoft and Sun. ... We were discussing the security ... advantages of Sandboxing (Partial Trust in .Net and Security Manager in ... (Full-Disclosure) [NT] Cumulative Security Update for Internet Explorer (MS04-025) ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ... (Securiteam) Re: [Full-disclosure] I give up, no more posts to Full-Disclosure and DailyDave about Full T ... Microsoft and Sun. ... We were discussing the security ... advantages of Sandboxing (Partial Trust in .Net and Security Manager in ... old trick to ignore the little guy (which works in environments like today ... (Full-Disclosure) [Full-disclosure] I give up, no more posts to Full-Disclosure and DailyDave about Full Trust ... ones about Full Trust, managed browsers, verifier issues in Java/.Net ... In this case I am talking about Microsoft, Sun, Novell, Apple, IBM, ... We were discussing the security ... good old trick to ignore the little guy (which works in environments ... (Full-Disclosure)