Help with WScript.Shell Object

[joe]

I've made an ASP page that calls a small executable and collects its
text output into a variable ("strExeOut") below. Below is some code similar
to the one I use for that purpose.

strExe = "C:\whatever\myprogram.exe -h1 -d33"

Set objShell = CreateObject("WScript.Shell")
Set objScriptExec = objShell.Exec(strExe)
strExeOut = objScriptExec.StdOut.ReadAll

I developed this in my own computer and the whole thing works like a charm,
but
unfortunately I assumed my hosting provider would let me run the (little and
harmless) exe, and they won't.
Therefore I have to run only the "exe" portion of the code in another web
server and send
back the output to my website on the net.

I'd like to get some feedback on what would
be the best way to call an exe on another server, and to have the output
sent back.

Any help is appreciated. Thanks in advance.

 

[Steven Burn]

1. Make sure you've set a security proc on the server that CAN run the exe, to prevent unauthorised servers running it (e.g. a security key or whatever that will be passed from one to the other)
2. Stick ALL of the code that runs the exe, into a file on the server that can run the exe
3. Use the XMLHTTP object to run the asp page on the other server, and to return the results.

Thats my thoughts on it anyway....

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

 

[joe]

Steven:

Thank you. So far the method is working. I still haven't dealt with the
security aspect, as I am a bit ignorant of the administration of IIS. Does
it matter that the exe doesn't really do anything except to output some
text? What are the risks, besides someone issuing XMLHTTP calls to the page
where the WScript.Shell Object is used, and retrieving its output? Sorry if
my question is too newbie-like.

 

[Steven Burn]

It depends on what the text contains.... but personally I'd be inclined to protect it regardless (I always tend to err on the side of paranoia).

Executables, as with anything else, use resources, so allowing someone else to access the file could (in theory) allow them to bombard the page with requests, causing your server to crash (could also happen with regular web-files though, it's not an issue thats restricted to certain file types).

I don't actually run exe's on the server so don't know the in's and out's where the security aspect is concerned though, you'll have to wait for one of the experts to come along and advise you on this one.

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

 

[Mark J. McGinty]

It depends on what the text contains.... but personally I'd be inclined to
protect it regardless (I always tend to err on the side of paranoia).Executables, as with anything else, use resources, so allowing someone else
to access the file could (in theory) allow them to bombard the page with
requests, causing your server to crash (could also happen with regular
web-files though, it's not an issue thats restricted to certain file types).

I don't actually run exe's on the server so don't know the in's and out's
where the security aspect is concerned though, you'll have to wait for one
of the experts to come along and advise you on this one.
<<<<<


The security risk is that it is much much more difficult to restrict an EXE
that it is to restrict the actions of a script. An EXE has the whole Win32
API available to it, it can manipilate ACEs and process tokens, it can call
LoginUser as part of a brute-force password attack, it can explicitly
allocate large chunks of memory -- there is no stopping even an uninspired
C++ programmer from crashing the system on purpose if s/he wants to, and you
allow his/her EXE to run.

Bottom line, the system is almost infinitely more vulnerable to rogue code
in an EXE, even if it's accidental, than it is to script.


-Mark



--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!