I have developed an asp.net application and windows desktop application system. My clients can upload images to asp.net application(only one folder). So if someone uploads a shell script and executes, one can take the other clients' database files.
Asp.net application works under windows server 2008 r2(web server edition) OS and IIS 7.5.it has administrator rights for now. I don't have a domain and domain controller so i don't have advanced user rights management. And "applicationpoolidentiy" doesn't help(i even can't open page.). I thought maybe i can deny executing of uploaded scripts? Is it possible. Or are there any better ways to secure server from uploaded scripts?
You should change your upload page to reject all files with extensions that aren't images using an extension whitelist.
For additional security, you should configure IIS to not execute scripts in that directory.
Related
I need to show customer an ASP.NET MVC3 website, but they don't have IIS or Visual Studio installed. only .NET Framework 4 is installed.
So my question is: Is there any tiny little IIS server (like IIS Express), but don't require installation, that can run the compiled site just on local machine?
PS: I don't need advanced features. But HttpHanlders and HttpModules should be working fine.
I back Shan's suggestion to host your website on a server somewhere and access it over the Internet. I don't see why it wouldn't work for Intranet applications either unless you have dependencies on some services like SMB shares or network printers.
The Cassini ASP.NET webserver is portable and doesn't require installation, but it doesn't run the same as IIS and there are things that will break (because it invokes ASP.NET for every request unlike IIS, so if you've blocked unauthenticated visitors then they wouldn't be able to download site images and stylesheets, for example, until they've logged in).
I have built an ASP.NET MVC 3 web application (with exlusively Razor/cshtml pages) that runs fine on my local machine with IIS Express. Now I'm trying to publish it to a remote server that is running Windows Server 2003 and IIS 6 and has just been upgraded to .NET Framework 4.0.
I was able to successfully publish all the files to the proper directory on the remote server using Visual Studio 2010's Publish dialog (Publish method: FTP), and I've followed the instructions for including all the DLLs needed to run ASP.NET MVC on a machine that doesn't have it installed, but now I'm pretty much stuck.
The first issue is that I don't have access to the remote server's IIS. I may be able to get the hosting company to add a virtual directory or change a setting, but I'm not sure they know what they're doing, and at the moment, I wouldn't know what to tell them anyway.
The second issue is that I need my web app to live inside an existing site (the web app is basically a protected members area of the main website). So, pretend the main site is http://www.foobar.com. I'd like my web app to be accessed by entering the URL http://www.foobar.com/members.
Questions
Is it possible to publish my web app without access to the remote server's IIS?
If not, what exactly do I need to tell the hosting company to add or change in IIS?
Do the settings under the Web tab of project properties affect publishing or just local debugging? At the moment, I have it set to use IIS Express, and the Project URL is "http://localhost:7373/". Do I need to change these?
Given that the remote server is running Windows Server 2003 and IIS 6.0, is it possible to use Web Deploy or am I limited to FTP?
If I can use Web Deploy, what do I put for the Service URL? All I have right now is a URL in the format of ftp://www.foobar.com/www and a username and password.
If I need to use FTP, what steps do I need to take to get the app working once the necessary files have been uploaded to ftp://www.foobar.com/www/members? I'm not worried about database, security certificates, registry, GAC, etc., I just want to know the steps necessary to get the home page of my web app to come up when I put http://www.foobar.com/members.
Have you had a look at this article by Scott Hanselman?
In addition to that article, please read the following thread on StackOverflow on pretty much the same environment as yourself.
Edit
Your first step should be to get the hosting company to set up the virtual directory with the following parameters (IIS 6):
ASP.NET Version: 4.0.30319 (or later)
Local Path: [root ftp path for main website]\Members
[ ] Script source access (unchecked)
[x] Read (checked)
[ ] Write (unchecked)
[ ] Directory browsing (unchecked)
[x] Log Visits (checked)
[x] Index this resource (checked)
Application Name: Members
Execute Permissions: Scripts only
Application Pool: ASP.NET 2.0
I have an internal ASP.NET MVC 2.0 web application that employees can upload documents to. I am then copying these files to another server for processing. Currently the web application (IIS 7 .NET 4.0) is running under an application account we set up (i.e. WebApp => Basic Settings => Connect as..). This application account has read/write ability on this other server (both share and file security. It was also set as a local admin at one point), but when I try to copy a file to the other server (I can copy/create files on the local server just fine) I get:
System.UnauthorizedAccessException: Access to the path '\\NotTheWebServer\BlahBlah\Blah.pdf' is denied.
If I give "Everyone" share rights to this folder it works. I don't want give everyone write access via the file system.
My Question: Is this just poor practice to do what I am trying doing here? If so what is the best way to accomplish this goal?
Thanks,
Mike
This was stupidity/ignorance on my part. I needed to change the user rights on the application pool associated with with this web application not the rights on the virtual directory. Once the user rights were changed on the app pool everything worked as expected.
Hi: I'm reading up on ASP.NET, and just came to a chapter that explains how to upload a file to your website. It says that in order to save a file to your file system, in the case of every OS except Win Server '03, an ASP.NET page executes in the security context of the ASPNET account. I don't have an ASPNET account running on my machine (win xp pro sp3; .NET 3.5). The program runs fine, by the way, I'm just trying to understand what an ASPNET account is exactly, and why it doesn't seem to show up on my list of user accounts. Thanks.
ASPNET is only used if use IIS. This was the norm in ASP.Net 1.1
However in new versions of Visual Studio IIS is not needed, so it uses an internal web server.
If ASPNET exists in a command window ( Start -> Run cmd Clikc OK) type and press enter
net user ASPNET
you should see the details of the account and in Task Manager you will see a process asp_wp.exe
File Access
The Network Service account has Read and Execute permissions on the IIS server root folder by default. The IIS server root folder is named Wwwroot. This means that an ASP.NET application deployed inside the root folder already has Read and Execute permissions to its application folders. However, if your ASP.NET application needs to use files or folders in other locations, you must specifically enable access.
http://msdn.microsoft.com/en-us/library/ff647402.aspx
I wanted to run a .net application on a laptop. I created the application(aspx pages and SQL database) on a computer that has VS 08 installed. Now i wanted to run this application on a laptop that does not have SQL sever 2005 installed.
As far as the aspx pages if i publish them to a zip drive copy it to my laptop and go into IIS and define a new virtual directory to point where my pages are that should work RIGHT??
Now for the database i don't know what i need to do
any ideas???
Publish the web app to a folder on the laptop and create an IIS Virtual directory pointing to that folder.
As for the DB, install an express version of SQL Server (http://www.microsoft.com/express/Database/) and
point you web app at them.
Have you considered using SQL Server Compact Edition? This will allow you to move the db around with the application.
You need to install sql server on the client(laptop) so you can run the application properly
As far as the aspx pages if i publish
them to a zip drive copy it to my
laptop and go into IIS and define a
new virtual directory to point where
my pages are that should work RIGHT??
Yes this should work.
As for the database, you'll need to install it on the computer you are running IIS on and copy the schema and data over or (I would recommend this way) have your code connect to a server which has the database on it.
You need to install at a minimum SQL Server 2005 express edition. You may also need to change the connection settings for your application, which may be in your .config file(depending on how you did your conneciton in your application) and depending on whether the server instance and database name you choose are different from what you used on your development computer.