Major security risks of ASP. NET Virtual Hosts

ASP. NET Virtual Host has a major potential hazard. BRINKSTER. COM applied for a free ASP.. NET Space. Two programs are uploaded. One of the programs that view directories and files proves my judgment: a security problem exists in the ASP shared space server, it still exists in the ASP + Shared Space server and becomes more difficult to prevent! Through this program, I can browse all the user's ASP + programs, and view the server's system logs ......, Of course, there is no problem if I want to delete anything. To give you a clearer understanding of this issue, it is necessary to briefly introduce this issue that already exists in ASP.

Commonly used standard component in ASP: FileSystemObject, which provides powerful file system access capabilities for ASP, you can read, write, delete, and rename any directories and files on the server's hard disk. The FSO object comes from the script running library scrrun. dll provided by Microsoft.

Use the following code to create a FSO object in ASP:

Set fso = CreateObject ("Scripting. FileSystemObject ")

ASP. net vm in our use of fso object includes the following attributes and methods: such as Drive, Drives, Folder, Floders, File, Files, and other operations on the server disk, directory, and File. This powerful file system access capability brings serious security problems to ASP shared space providers, many ASP space administrators delete this component or rename it to prevent users from using this standard component. Deleting a component or renaming a component is indeed a simple and effective method, but it does not allow users to use its powerful functions. There is also a beautiful solution on the network, which allows users to use the FileSystemObject component without affecting the security of the server, that is, each user is set to an independent server user and a single directory operation permission. However, this method is problematic. Because ASP and ASP. NET have similar problems in this regard, we will add details in the corresponding solutions section of ASP. NET.

In ASP. NET virtual hosts, we found that this problem still exists and becomes more difficult to solve. This is because. NET, and ASP. NET has a new function, this component does not need to use regsvr32 for registration as ASP does, you just need to upload the Dll class library file to the bin directory to use it directly. This function is designed for ASP development. NET brings a lot of convenience, but it makes the solution that we delete or rename this dll in ASP useless, so it becomes more complicated to prevent this problem. Before discussing the solution, let's take a look at how to implement the above dangerous functions.

This section describes the risks related to ASP. NET virtual hosts. We will introduce the security risks of ASP. NET virtual hosts.

1. Syntax analysis of nested If statements in ASP. NET Programming
2. Analysis of Date and Time Processing in ASP. NET Programming
3. Analysis of the pop-up window alarm prompt for ASP. NET Programming
4. Meanings and benefits of ASP. NET stored procedure calls
5. Analysis of ASP. NET application Resource Access Security Model