Browsers can download assemblies directly from my website's /bin d
From: HosedIfSomeoneBadFiguresOutWhoIAm (spam_at_spam.com)
Date: 07/01/04
- Next message: [MSFT]: "RE: Browsers can download assemblies directly from my website's /bin d"
- Previous message: Jonathan Trevor: "IExtractImage, Impersonation, GDI and "access denied" for non-local admins"
- Next in thread: [MSFT]: "RE: Browsers can download assemblies directly from my website's /bin d"
- Reply: [MSFT]: "RE: Browsers can download assemblies directly from my website's /bin d"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jun 2004 20:01:01 -0700
Microsoft: If you email my passport account directly, I can give more detailed info & a telephone number to reach me.
I've found that browsers can download dll's directly from my website's bin dir.
In the following examples I've replaced my actual company name with "Mydomain" or "Mycode" etc. to protect my website.
For example, all they need to do is type:
http://Mydomain.com/bin/Some.Web.dll
into the IE address bar.
For me, this is very bad. It means that an attacker could simply grab assemblies and use .NET Reflector to determine the code. In my case I issue product registration updates through ASP.NET, with the expectation that a user cannot simply find and download the assembly w/ the code to sign the registrations!
Now this only happens with my website hosted through my ISP (I contacted them for help). If I test the same config on a machine at home, it won't let me download the assemblies.
I looked in the web logs and found the following (again, I've replaced my actual website/assembly names to protect my website)
Note that it only let me have the assembly once (HTTP 200 OK). Subsequent requests returned HTTP 404 (Not found). It never returns the expected response HTTP 403.2 (Read access forbidden).
2004-07-01 02:01:41 216.55.191.221 /bin/MyCode.Web.dll - 80 - 67.40.221.149 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) - MyCode-tech.com 200 0 28974
2004-07-01 02:24:27 216.55.191.221 /bin/MyCode.Web.dll - 80 - 67.40.221.149 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - MyCode-tech.com 404 0 1830
2004-07-01 02:24:32 216.55.191.221 /bin/MyCode.Web.dll - 80 - 67.40.221.149 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - MyCode-tech.com 404 0 1830
Any ideas? This is very bad for me!!
Sincerely,
HosedIfSomeoneBadFiguresOutWhoIAm
- Next message: [MSFT]: "RE: Browsers can download assemblies directly from my website's /bin d"
- Previous message: Jonathan Trevor: "IExtractImage, Impersonation, GDI and "access denied" for non-local admins"
- Next in thread: [MSFT]: "RE: Browsers can download assemblies directly from my website's /bin d"
- Reply: [MSFT]: "RE: Browsers can download assemblies directly from my website's /bin d"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
