D
Dinis Cruz
Dear Asp.Net Security Community
Over the last couple of months I have posted several items in the
official Asp.Net website (www.asp.net) related to the security
problems that occur when Asp.Net is used in shared hosting
environments (such as ISPs, Asp.Net developers and companies that
manage/host several websites in their servers).
The objective of this email is to consolidate all this information in
one single point:
1) for us, it all started with our "Security guide for ISPs
providing Windows-based Shared Hosting Services"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=249624)
2) then we created and released an Open Source web application to
test the security configuration of servers hosting Asp.Net websites -
the Asp.Net Security Analyser (ANSA) - which is published in GotDotNet
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=360023)
3) Following the release of this tool, we started a public
discussion on what we considered to be serious problems that needed to
be addressed:
a) "Asp.Net.Vulnerability: Full Trust (current security problems
and possible solutions)"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368663)
b) "Asp.Net.Vulnerability: Win32 API calls (potential security
problems)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368686)
c) "Asp.Net.Vulnerability: Asp.Net buffer overflows (potential
security problems)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=369016)
4) When (as a reply to one of the "Asp.Net vulnerabilities" posts)
we where advised to talk first to Microsoft before publishing this
information publicly, we decided to write the story (so far) of our
email exchange with several Microsoft employees and Microsoft Security
Response Center: "When will Microsoft take Asp.Net Security seriously?
" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=370723)
5) Meanwhile we where continuing to work on a solution for the 'Full
Trust' problem and posted:
a) some ideas on how to tackle the problem: "Idea to solve the
current shared hosting ‘Full trust' issue."
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=371761)
b) a 'proof of concept' example on one of the proposed solutions:
"FSO in ‘Medium trust' environments"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380247)
6) Finally we wrote two articles (soon to be published) that explain
these problems with more detail, and say what we think Microsoft
should be doing to solve this problems and make Asp.Net a secure
platform for the development of secure web applications
a) "Microsoft must deliver 'secure environments' not tools to
write 'secure code' - draft article"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379852)
b) "'An 'Asp.Net' accident waiting to happen" - draft article"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379837)
Our next steps will be the release of a new version of ANSA and
continue working on the proposed solution for the 'Full Trust' problem
(when we have more solid data we will release a white paper called
"living in a Asp.Net 'Partially Trusted' world'" which will provide
more details about how this can be successfully achieved with the
requirements of today's Asp.Net developers).
Best regards
Dinis Cruz
..NET Security Consultant
DDPlus (www.ddplus.net)
Over the last couple of months I have posted several items in the
official Asp.Net website (www.asp.net) related to the security
problems that occur when Asp.Net is used in shared hosting
environments (such as ISPs, Asp.Net developers and companies that
manage/host several websites in their servers).
The objective of this email is to consolidate all this information in
one single point:
1) for us, it all started with our "Security guide for ISPs
providing Windows-based Shared Hosting Services"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=249624)
2) then we created and released an Open Source web application to
test the security configuration of servers hosting Asp.Net websites -
the Asp.Net Security Analyser (ANSA) - which is published in GotDotNet
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=360023)
3) Following the release of this tool, we started a public
discussion on what we considered to be serious problems that needed to
be addressed:
a) "Asp.Net.Vulnerability: Full Trust (current security problems
and possible solutions)"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368663)
b) "Asp.Net.Vulnerability: Win32 API calls (potential security
problems)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368686)
c) "Asp.Net.Vulnerability: Asp.Net buffer overflows (potential
security problems)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=369016)
4) When (as a reply to one of the "Asp.Net vulnerabilities" posts)
we where advised to talk first to Microsoft before publishing this
information publicly, we decided to write the story (so far) of our
email exchange with several Microsoft employees and Microsoft Security
Response Center: "When will Microsoft take Asp.Net Security seriously?
" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=370723)
5) Meanwhile we where continuing to work on a solution for the 'Full
Trust' problem and posted:
a) some ideas on how to tackle the problem: "Idea to solve the
current shared hosting ‘Full trust' issue."
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=371761)
b) a 'proof of concept' example on one of the proposed solutions:
"FSO in ‘Medium trust' environments"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380247)
6) Finally we wrote two articles (soon to be published) that explain
these problems with more detail, and say what we think Microsoft
should be doing to solve this problems and make Asp.Net a secure
platform for the development of secure web applications
a) "Microsoft must deliver 'secure environments' not tools to
write 'secure code' - draft article"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379852)
b) "'An 'Asp.Net' accident waiting to happen" - draft article"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379837)
Our next steps will be the release of a new version of ANSA and
continue working on the proposed solution for the 'Full Trust' problem
(when we have more solid data we will release a white paper called
"living in a Asp.Net 'Partially Trusted' world'" which will provide
more details about how this can be successfully achieved with the
requirements of today's Asp.Net developers).
Best regards
Dinis Cruz
..NET Security Consultant
DDPlus (www.ddplus.net)