Re: ASPNET User Problem in Shared Hosting Environment

From: Mr Snorkel (snorkelmeister@yahoo.com)
Date: 07/25/02 

From: snorkelmeister@yahoo.com (Mr Snorkel)
Date: 25 Jul 2002 14:20:14 -0700

Exactly.

It's time MS came clean about this. At present, it is not safe to run
ASP.NET applications in any shared hosting environment. It is
trivially easy to violate other sites' privacy if you're sharing a
server with them. I'm amazed that this has still not become more
widely known. Presumably MS are hoping that this will stay the case
until the problems are fixed with a later version of the framework.
But as things stand any business shared-hosting a .NET web application
is in my opinion being negligently foolish.

"M. Shawn Dillon" <nollids@moc.ovc-erutrepa> wrote in message news:<ulbyvxgHCHA.1728@tkmsftngp09>...
> From this I gather that shared hosting is not supported or recommended
> unless you are willing to give all of your customers the ability to trash
> your machine or other customer's sites. Trustworthy computing indeed...
>
> "Ben Miller [MS]" <benmi@online.microsoft.com> wrote in message
> news:#vgSaOZHCHA.1712@tkmsftngp08...
> >
> http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
> > c/html/V1securitychanges.asp?frame=true
> >
> > Watch for URL wrap. This should give you an idea of what this is all
> about.
> >
> > Ben Miller
> > This post is provided "AS IS" and confers no rights or warranties.
> >
> > "Ely Lucas" <ely@cmconline.com> wrote in message
> > news:uhhpa6p7u09c2@corp.supernews.com...
> > > Hello,
> > >
> > > I am trying to setup a win2k server that will be used for shared hosting
> > > services, and am trying to figure out how asp.net is going to be able to
> run
> > > secure on the server.
> > >
> > > In the asp days, you would give each website its own IIS_User account to
> run
> > > under, and give that user RWXD permission to it's web root folder. You
> would
> > > remove the Everyone group and also give the admin group full permission
> on
> > > the folder. This would keep users who are developing apps that are going
> to
> > > be hosted on that machine from poking around in each others directories
> with
> > > the file scripting object, include files, etc...
> > >
> > > With asp.net, it seems like everything is ran under the ASPNET user
> account.
> > > The problem here being, the ASPNET account needs Read permission to
> every
> > > site on the server so it can monitor file changes and such for the
> > > framework.
> > >
> > > When a user runs an aspx page, it runs under the ASPNET account that has
> > > read permissions to everyone elses aspx pages. So anyone can do a <!--
> > > #Include File="c:\inetpub\site1\allmylovelypasswords.aspx" --> into
> someone
> > > elses directory and get their source code. And that is just the
> beginning...
> > >
> > > I have messed around the Impersonation, and set the machine.config up as
> > > follows:
> > >
> > > <identity impersonate="true" />
> > >
> > > And when this happens, it seems like it is working, because when I do a
> > >
> > > Response.write(WindowsIdentity.GetCurrent().Name)
> > >
> > > it returns my IIS_User for that particular site that I have setup in the
> IIS
> > > MMC. However, this site is still able to browse through and view any
> > > resource on the hard drive that the ASPNET user has access to (which,
> > > remember, has to be all the aspx pages on the entire server, the
> > > Microsoft.NET folder, and more).
> > >
> > > So, I guess what I am wondering is, what is the best practice for
> setting
> up
> > > asp.net in a shared hosting environment? What are all the big hosts
> doing
> > > out there? What does Microsoft have to say about this (there are no docs
> at
> > > all in their web hoster program)?
> > >
> > > Thanks,
> > > Ely
> > >
> > >
> > >
> > >
> >
> >

Relevant Pages

  • DNS vulnerabilities in shared host environments
    ... A potential vulnerability in the use of DNS exists in some shared ... Note that cPanel's default configuration does limit this ... however many shared hosting providers alter the ... for that domain is created on the shared hosts DNS server. ...
    (Bugtraq)
  • Re: Purple Paper: Exegesis Of Virtual Hosts Hacking
    ... hosted on a shared or on-site server, ... dedicated hosting is more secure than shared hosting. ... of security is far less than the one of most shared hosting users. ... customers - at about a thousand times more shared hosting customers ...
    (Bugtraq)
  • ASP and DCOM component -- any gotchas?
    ... The server is a Windows 2003 Web server edition using process ... The call to Server.CreateObject failed while checking permissions. ... Finally I checked the system logs and found that I was getting DCOM ... for our shared hosting clients has ever shown up in the list displayed by ...
    (microsoft.public.inetserver.iis)
  • Re: ASPNET User Problem in Shared Hosting Environment
    ... >> I am trying to setup a win2k server that will be used for shared hosting ... >> secure on the server. ... >> When a user runs an aspx page, it runs under the ASPNET account that has ... >> resource on the hard drive that the ASPNET user has access to (which, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Local Access database to shared PHP/MySql hosting export
    ... Aren't the sysadmins going to prevent direct access to the database server? ... I've got a simple PHP/MySql application on shared hosting, ... > beleived it used a mysql odbc driver that runs on windows and knows how to ...
    (comp.lang.php)