From: Dinis at ddplus.net (Dinis Cruz)
Subject: Security issues with Asp.Net in Shared Hosting Environments

Hello 

Over the last couple of months I have posted several items in the
official Asp.Net website (www.asp.net) related to the security problems
that occur when Asp.Net is used in shared hosting environments (such as
ISPs, Asp.Net developers and companies that manage/host several websites
in their servers). 

The objective of this email is to consolidate all this information in
one single point: 

1) for us, it all started with our "Security guide for ISPs providing
Windows-based Shared Hosting Services"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=249624) 

2) then we created and released an Open Source web application to test
the security configuration of servers hosting Asp.Net websites - the
Asp.Net Security Analyser (ANSA) - which is published in GotDotNet
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=360023) 

3) Following the release of this tool, we started a public discussion on
what we considered to be serious problems that needed to be addressed: 
a) "Asp.Net.Vulnerability: Full Trust (current security problems and
possible solutions)"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368663) 
b) "Asp.Net.Vulnerability: Win32 API calls (potential security
problems)"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368686) 
c) "Asp.Net.Vulnerability: Asp.Net buffer overflows (potential security
problems)"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=369016) 

4) When (as a reply to one of the "Asp.Net vulnerabilities" posts) we
where advised to talk first to Microsoft before publishing this
information publicly, we decided to write the story (so far) of our
email exchange with several Microsoft employees and Microsoft Security
Response Center: "When will Microsoft take Asp.Net Security seriously? "
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=370723) 

5) Meanwhile we where continuing to work on a solution for the 'Full
Trust' problem and posted: 

a) some ideas on how to tackle the problem: "Idea to solve the current
shared hosting 'Full trust' issue."
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=371761) 

b) a 'proof of concept' example on one of the proposed solutions: "FSO
in 'Medium trust' environments"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380247) 

6) Finally we wrote two articles (soon to be published) that explain
these problems with more detail, and say what we think Microsoft should
be doing to solve this problems and make Asp.Net a secure platform for
the development of secure web applications 

a) "Microsoft must deliver 'secure environments' not tools to write
'secure code' - draft article"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379852) 

b) "'An 'Asp.Net' accident waiting to happen" - draft article"
(http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379837) 

Our next steps will be the release of a new version of ANSA and continue
working on the proposed solution for the 'Full Trust' problem (when we
have more solid data we will release a white paper called "living in a
Asp.Net 'Partially Trusted' world'" which will provide more details
about how this can be successfully achieved with the requirements of
today's Asp.Net developers). 

Best regards 

Dinis Cruz 
.NET Security Consultant 
DDPlus (www.ddplus.net)

Note: We also posted a query for 'real life' examples of web
applications developed and deployed in 'Partially Trust' Environments
("examples of 'Medium' or 'high' trust Asp.Net applications" -
http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380468), but
haven't received any feedback. If you know of examples we would be very
appreciated if you give provide us (and the Asp.Net community) feedback
and 'real life' knowledge. 

Powered by blists - more mailing lists