ASP 3.0 Folder/File Permissions Settings - asp-classic

Dear Stack Over Flow Folks,
Hi, I have built a form input page in HTML that
has an action to post to an ASP handler/processor
.asp file. The form handler/processor .asp file
contains only <% Insert VBScript Here %> and no
HTML output whatsoever.
The .asp file was never intended to be a
"web viewable" .asp file like an .asp home page
file or html file would. It's supposed to be
for my eyes only- not the public's however
it does need to take info posted by the public
and do something with it on it's end.
I have used VBScript/ASP3.0 to build the form
handler/processor file and would like to know how
to keep someone from viewing the actual VBScript
in the handler/processor .asp file. I am aware of
obfuscation but I would like to know how to keep
prying eyes from even being able to take a look
at the obfuscated code in the handler/processor
file.
I realize that the server executes the .asp file
first before outputting anything to the browser so
I guess that my main concern is mostly that someone
may could "download" the form handler/processor .asp file,
then view it's contents on their machine.
Assuming the form handler .asp file is where it is,
behind the root, and is on a windows server
(no htaccess approach) how could one protect it so that
it could never be viewed or simply pulled down via
anonymous ftp or something like that?
Is there something like "script only" permissions that
the system administrator could set up for a particular
folder? Remember, with shared hosting I can't go above
the root. If so, would the form still be able to post?
How would any of you guys go about protecting the
asp file in addition to obfuscation? Any help would
be greatly appreciated.
Thanks,
ASP Pee-Wee

Unless your code encounters an error, no one should be able to view the contents of the ASP file in the browser. (If you haven't already, add on error resume next to your code, then add some error handling to prevent leaking too much information in any error message.)
If you can (might not be available with your shared-hosting) deny FTP access to all IP addresses except those you permit.

In a hosted environment, no matter what you do to protect your code, bad administrative/security policy by the host provider is a critical point of failure.
While the question specifies a shared-hosted environment, the best bet is to get a dedicated server and secure it yourself. If the information is important enough, the cost should be justified.

Related

If code behind not used, is aspx source code exposed to website visitors?

I've read through some of the questions here and my understanding is that this is true. Could someone confirm that visitors to an ASP.NET website can actually download the aspx files in their original format? Just like with the css files, etc. Thanks.
Clarification: Please be patient with me. I am newbie and just want to make sure I understand. I know that using Dreamweaver, a person can just download almost all the source files from a website. At least that what could be done some years ago with many websites. He would just change a few text contents and have a similar website like the original with all the original design, images, etc.
So if he can do the same with an asp.net site: downloading all the files, he can look at the aspx file and see what the code does. I am not talking about him executing the page and do the view source command. This file would naturally be processed by the server and doesn't expose source code.
This is one of the reasons why code behind is recommended because the code can be compiled and the source is not uploaded to the site. Only the dll is uploaded and minimum logic is exposed through the aspx file.
No, they can't. The ASPX page contains server-side code that is executed, well, by the server, and ends up containing plain HTML that the client browser can understand.
When IIS receives a GET request for an ASPX page, the ASP.NET handler kicks in and returns the processed HTML. So unless IIS is misconfigured, that is not possible.
No. Visitors cannot see your business logic.
If that were the case the markup asp:TextBox wont get rendered as input type='text'
Also, if that were the case we would be seeing code snippets of sites written using scripting languages like PHP or Classic ASP
in newbie's term:
No, the server won't give you ASPX and code behind files, these are files that don't mean anything to the end-user/visitor/browsers. These codes are processed on the server, and what you get is only a bunch of HTML code, javascripts, css, images, etc. which browsers can render.
If you try to "download" (by accessing them through your browser) .ASPX, .CS, and WEB.CONFIG files to see the actual source code, well you simply can't.

Is there anyway to load up a asp.net page object and render its contents to string from a console application?

I am trying to use aspx pages as an email templates. There will likely be a bunch of objects on the page which will be used as replacements in the html. Because it's an aspx page I'll be able to use databinding, repeaters, etc. At run time, I want to be able to instantiate the aspx page from its path, pass in a bunch of properties, and then get the rendered result of the page and email it. This seems pretty straightforward from a asp.net website (maybe using BuildManager or Server.Execute.) However, I want to be able to use the same templates via a console application by just loading up a page object from its filepath. Is this possible?
You could host your own webserver. Like the Cassini webserver.
In my own application (a Windows-based Desktop-CMS), I include a web server, too (non-Cassini). It works very well, also it does not serve ASP.NET but plain, HTML.
As I did some research back then, I first wanted to use the Cassini, too, but at some point, I found out that too much user privileges were required to run it successfully; this may not be an issue to you, but keeping this in mind and try to run it early with the permissions of the later user, might be a good idea.

Changed a page from ASPX to HTM(L) but IIS points to ASPX regardless

We recently rewrote our company homepage and have come across a peculiar error. We have very few pages that need any code behind them, so we wrote the website in static HTML served out of IIS6. The few pages that need any code (Contact Us, with a contact form, for instance) are .ASPX pages.
The previous version of the website had more .ASPX pages, even if there was no code in the code-behind. One of those pages was "management.aspx", and in the new site this is, logically enough, "management.htm". We're smart enough to not just change the file extension -- we rewrote everything, it just has the name in common.
Here's the peculiar part: Even though every link in the entire website points to "management.htm", IIS6 continues to try and serve "manangement.aspx". I've reset IIS, stopped/started the Default Web Site under IIS6, deleted pages from "Temporary ASP.NET Files" and deleted out temporary GZIP files from the server as well. This isn't MVC or anything, so we have no explicit URL routing, and while I can see us having to implement static file handling in our web.config httpHandlers, I can't imaging that being a necessity.
What gives? Why is IIS6 still trying to serve the old "management.aspx" page when we're explicitly asking for "management.htm"? What can I do to fix it?
Your bindings have to be off somewhere... check top level for *, *.htm, managment.htm, etc. Then check virtual directories.
If you paste "http://yoursite/management.htm" in your browser and you get a YSOD, this is an IIS issue for sure.
Check if you still have the bin folder in the root of your site.
Do you get a 404 because it tries to load management.aspx and it's not there?
Check the Default Page on the Website/Virtual directory in Question, and if it exists remove the reference to manangement.aspx.

Browse Files Server-side in ASP.NET

I'm creating an ASP.NET web application to schedule tasks on our server from a remote location using a .NET Wrapper for Scheduled Tasks. However, I'm stuck.
The user needs to be able to browse the file system on the server to retrieve a "file to run" for the new task that the user's creating in this application. I need to get the filepath/filename and pass it into the .NET wrapper.
I've tried using HTMLInputFile, but I haven't found a way to make that work for me.
Any help is appreciated.
Thanks
Update:
For this project, we've decided to simply list the executables in a dropdown box that would be available to users since they don't really need total access to the file system, just for security's sake.
HTMLInputFile is used to browse the client's file system and upload a file to the server. It isn't used to browse the server's file system.
You will need something quite different. You will need some server side code to display the server side folder structure to the user via the browser.
There is an example of a basic implementation of this here.
Update:
With that sample, the path that you replace "yourfolderHere" with needs to be a virtual path, rather than an absolute path. So for example "C:\Inetpub\wwwroot\uploads" won't work, but "uploads" will work.
I hope it goes without saying that there are serious security issues to think about when implementing something like this.
The HTMLInputFile will only work on the client-side machine.
You need to write a filesystem browser in ASPX/HTML that browses on the server-side.
Shouldn't be that hard to do.
You can't use the <input type="file" tag
This brings up a client-side dialog that browses the client machine.
As far as I am aware you need to create your own 'browser'.
eg You could use the My.Computer.Filesystem classes to retrieve a list of files in a folder and show those on the webpage. The user then selects the relevant file and posts a response back to the server.
You can use System.IO.Directory to get directories and files. These can be displayed in a number of ways. A simple browser / file selection should be possible in less than 50 lines of code.
Also be aware that you may need to grant extra permissions to the user that your web app runs as so the file system is accessible.
There are also various security implications around this, so don't grant access to everything unless you really need this.

Web File Security best practices for ColdFusion 8 in IIS6 or IIS7

Let's say we have a web site with a CF app that was written in-house.
Assume that:
Server 2003 IIS6 or 2008 IIS7 will be used
ColdFusion 8 will be used
Directory browsing is denied
SSL is required to connect
The account login process is secure (yeah I know that is a whole other
ball of wax but that concept is discussed ad nauseum on the web).
Say I have a file at https://domain.com/folder1/folder2/ with a name like picture92352.ext imagine it as a jpg or pdf or whatever. The entire path between the domain name and the file varies widely in naming structure, depth, etc. Files are not all lumped together in one folder.
The app restricts links by user such that a user would have to have access to that file to find it in the first place but as it stands now if a person knew the full URL to that file they could retrieve it without logging in to the app. It's the classic security by obscurity situation. A random person isn't likely to find a file they shouldn't get to but once someone is given access they know how to access it from another PC where their actions might not be traced back to them.
How do I restrict access to these files before someone logs in and still make them accessible to outside users after they log in? Is there a way to do it with permissions only or is the only answer to have code dynamically moving files around at the time of the request or is there some obvious step I'm not even thinking of?
Let me clarify this slightly. No matter how the file is presented on a page a user can use the browser IE, Firefox, etc to examine the URL the file comes from. If the image is a link there is always copy shortcut in the right click menu for IE and the same functionality in FF is called copy link location. If the image is displayed inline as part of the page an IE user can right click and choose properties to see the URL, in FF the same functionality is present to see properties but there is an even quicker more convenient option labeled copy image location. Once a user knows the URL to a file if the location or file name doesn't change they can use that URL without authenticating in the CF app.
If I change the NTFS/share permissions so that IUSR can't see the content then my CF app and IIS can't push it. What strategy do I use to provide the file in the CF app that doesn't leave this hole open?
You could write a CFM page that serves up the images. Then you just make sure they are authenticated inside the CFM.
<!-- something like this -->
http://localhost/GetFile.cfm?file=foobar.jpg
In GetFile.cfm, you would do something like:
<!-- the filename part is what the browser will pre-popualate the file name in the download dialog as -->
<CFHEADER name="Content-disposition" value="attachment;filename=picture92352.ext">
<CFCONTENT type="text/plain" file="\\fileserver\folder1\folder2\picture92352.ext">
Take a look at the various MIME types.
If you wanted to do something similar but keep a more natural URL, I think you would need to leverage the Java servlet underpinnings of ColdFusion to create a handler for any URL matching a certain pattern.

Resources