I am trying to configure the IPermission node as part of medium trust. However I am unable to find the valid values list for the PathDiscovery attribute on the node
<IPermission class="FileIOPermission" version="1" Read="$AppDir$" Write="$AppDir$" Append="$AppDir$" PathDiscovery="$AppDir$"/>
I need to set the permission so that the account will be able to access all subdirectories under the main path. currently a .svc (WCF service file) throws a 404 error because the ASP.Net account is not able to get it from a sub-folder couple of levels deep. I am trying to avoid changing the node to
<IPermission class="FileIOPermission" version="1" Unrestricted="true"/>
Any ideas?
TIA
I certainly agree that you shouldn't change the node to Unrestricted, as that would pretty much defeat the purpose of partial trust.
According to the System.Security.Permissions.FileIOPermission documentation on MSDN, FileIOPermission is supposed to imply permissions to everything below that path as well.
From that doc:
Access to a folder implies access to
all the files it contains, as well as
access to all the files and folders in
its subfolders. For example, Read
access to C:\folder1\ implies Read
access to C:\folder1\file1.txt,
C:\folder1\folder2\,
C:\folder1\folder2\file2.txt, and so
on.
Of course, building custom trust .config files is woefully poorly documented by Microsoft, so it's possible that the .config markup for FileIOPermission behaves differently than the code class... That would be surprising to me though.
Is it possible some other problem is causing the 404? Double-check that the service is executing under the credentials you'd expect, and that the path is being evaluated correctly...
Related
I've had a very frustrating experience on putting an MVC 5 app on Azure. I have been reading the following page: http://www.asp.net/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and-azure
But what I haven't managed to put in my head is the following:
Security Warning: Do not add your secrets .config file to your project or check it into source control. By default, Visual Studio sets the Build Action to Content, which means the file is deployed. For more information see Why don't all of the files in my project folder get deployed? Although you can use any extension for the secrets .config file, it's best to keep it .config, as config files are not served by IIS. Notice also that the AppSettingsSecrets.config file is two directory levels up from the web.config file, so it's completely out of the solution directory. By moving the file out of the solution directory, "git add *" won't add it to your repository.
And:
Security Warning: Unlike the AppSettingsSecrets.config file, the external connection strings file must be in the same directory as the root web.config file, so you'll have to take precautions to ensure you don't check it into your source repository.
The problem is the following: When I upload the Web.config file with the external files without being included I get hit by "The System cannot find the file specified", so for it to go away I must include the .config files defeating the purpose of Microsoft's post.
I really really really do not understand. I have added the connectionStrings and appSetting's keys in Azure's portal. What is the correct and secured way of putting my passwords and secrets online? What am I missing? Is it because I'm running in Debug mode?
According to this:
How can I secure passwords stored inside web.config?
There is nothing to worry about accessing the Web.config file...
But that just defies Microsoft's post.
Thanks.
I find the following technique to be the easiest way to do this.
Instead of putting the deployment values of these settings into the web.config, I keep the test values in there instead. I then put the deployment values into the Application Settings section of the Azure Website via the Azure Portal:
When the website runs, these settings will take precedence over what is in the web.config. This helps me avoid externalized files, allows me to keep sane development configuration that the team can share, and makes deployment very easy.
The best way is to set your secrets in the Connection Strings section of the portal. Any values set there will override values you specify in your web.config file.
This way they are only exposed to people who have admin access over the site itself. Having full access to the source won't even be enough to get the secret values.
More details here
A client has custom firewall rules around their website to prevent any number of attacks. One of the custom rules blocks all requests (either GET or POST) including a double hyphen, in order to prevent SQL injection. While updating their website last night, we had an issue where on every page, one of the calls to the ScriptResource.axd included a double hyphen(--) resulting in access to the script being denied.
We had seen this issue previously and thought we had worked around it by using the ScriptReferenceProfiler in order to generate the list of scripts we'd need to combine in order to remove so many script references. That was working until the update last night when the issue reoccurred. (Interestingly, I reran the ScriptReferenceProfiler and all of the scripts it identified were already included in the CompositeScript listing so I don't know where this file came from.)
I finally created a new IIS virtual directory where the issue with the double dashes didn't occur, despite pointing to the same directory and codebase as the previous virtual directory. (I set the initial virtual directory to act as a redirect to the new one so the users wouldn't have to worry about updating links or bookmarks.) I can see from this post that the first parameter is generated via encrypting the assembly name and resourcename which explains the difference in the values between the two virtual directories.
But obviously, I'd like to avoid this situation in the future. Does anyone have any thoughts as to how to prevent double dashes from appearing in the ScriptResource requests?
For reference, this occurred in a VB.Net website running in .NET 4.0 on IIS 6/Windows Server 2003. Additionally, the script file being rejected was for an Infragistics control of some sort. (I turned off the firewall rule briefly in order to get the file and then re-enabled it. I wasn't able to tell from the script what role it played for Infragistics, though.)
Thanks.
The first parameter (d) is the assembly and the resource. For the assembly, this includes the name and version as well as the public key token if the assembly is strong named. If any of these change then the string for the resource will also change.
The second parameter (t) is just for the timestamp and this allows the resource to change if an assembly containing an embedded resource is updated without the assembly name or version changing even if caching is enabled on a site.
The encryption of the first parameter is based on the MachineKey so you could change the MachineKey to change the string that results from the encryption. This may help you to have a simple workaround for the issue when it does come up even if you don't control the names and versions of all of the assemblies that you use.
Related reading that may be of interest to you:
machineKey Element (ASP.NET Settings Schema)
How To: Configure MachineKey in ASP.NET 2.0
Debugging ASP.NET 2.0 Web Resources: Decrypting the URL and Getting the Resource Name
According to this article (method 2, item 6) I'm supposed to add computername\IIS_IUSRS as the role allowed to read my web.config file.
I'm not sure if it's true, though, because:
I've seen other web sites on the current server that don't have that set in security tab but still are accessible
more importantly, I still get the error 500.19 related config data invalid with extension config file insufficient permissions (0x80070005).
(At this point I'm only trying to serve a static HTML page, before I'll go on and also deliver web services.)
What am I missing?
Check every part of the directory tree in your setup. Make sure that every directory, subdirectory and file that you're trying to access, in fact, has the group IIS_IUSRS defined on your local machine (or the server, in fact). I'm betting my left ear that you'll find a part that hasn't.
The error you mentioned - 0x80070005 - means precisely that.
In case you still can't find the source of the issue, remove the whole directory tree and redo the whole setup process. Maybe there's some access right that's catched, then.
I just tested it on my system and I could cause the error you're describing by removing permissions of IIS_IUSRS from a subdirectory.
I've had this question for many years, and did research every time that this issue arose, but could never find a definite answer. Somehow the mighty Internet, MSDN, community forums, are either silent or vague on this. Out of thousands of development-related uncertainties, this is the only one that remained elusive.
To the point: in order to enable users to upload and manage images (and other files) used in their blog posts, in a shared hosting environment, I can either consider SQL Server binary data types (performance implications), or the file system. To use the latter, the necessary permissions need to be set for the IIS_IUSRS role on the storage directory : create/write, read and delete. My question - if I do this, what are the security implications? Could someone somehow take advantage of this, bypass the ASP.NET request pipeline and manipulate the files inside the folder without making a request to the corresponding ASP.NET handler (which checks rights, validates uploads, etc.)?
I've developed several systems that allowed file uploads and this has always bothered me. Now, hopefully, someone will be able to put my mind at ease and, ideally, explain the mechanics behind the process.
UPDATE
After viewing the latest answers (many thanks), another formulation of the question:
Is it in any way possible for a client to somehow bypass the request pipeline and create/delete files inside a directory that allows it (assuming the person knows the directory structure)? Or only the code that handles the request can do it? Any potential exploits?
The main problem is to been able to upload a script, an aspx page, in this directory with the photo files, and runs it.
Here is one case: I've been hacked. Evil aspx file uploaded called AspxSpy. They're still trying. Help me trap them‼
The solution to that is to add this extra web.config file on the directories that allow to upload files and not permit to run any aspx page. Also double check to allow only extensions that you permit and not allow to change that on the file name, if they have the opportunity to make rename.
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Also on the directories that you allow to upload files, do not permit to run any other script like simple asp, or php or exe, or anything.
general speaking
All your pages have permissions to run and manipulate many things on the server. What you give now is the ability of write on some directories, also by using some aspx page. The asp.net now have one more extra permission to write files there, on the photo folder. Also note here, that you asp.net page have this control, not the user. What you do there with your code can write on this directories, so must be carefuller there to double check where you write and not allow any other directories, not allow the user to manipulate the directory that can be written to.
So this is the weak link. To been able to upload more script that can take control of the server, at least the part that can be access by the asp.net user of this pool.
Having done this before, I'd make two recommendations:
First, do not store the uploaded files in the same directory structure as your application code (if possible). Make it a well-defined external location, and locked down explicitly to only the user the application is running as. This makes it harder for a malicious upload to be injected into your application as nothing in the web server, or ASP.NET itself, knows how to access the file (only your application).
If that is absolutely not possible to do so, be sure to make sure no external user can access the storage folder using standard ASP.NET authorization and only allow writes by your application user to this folder, nothing else.
Second, do not store the uploaded files with their original names and file extensions; Keep that meta-data separate. Just consider the file a raw binary blob of data. This is good for a couple reasons. First, it prevents inadvertent execution of the file on the server, be it by someone accessing the file system directly, the web server, or ASP.NET. Second, it makes it much more difficult for an attacker to exploit a malicious upload as they should never be able to guess the name, or path, of the file on the server.
URL authorization only applies to Asp.Net related file types?1 But why couldn’t it also be applied to non-Asp.Net file types?
Thanx
This is because of the script maps for ASP.NET. Only certain extensions are mapped into ASP.NET. The rest are handled directly by IIS. This is by design, for performance reasons.
There are two ways to handle this.
Duplicate your authorization rules in the web.config files in NTFS File ACLs (that is, set permissions on folders and files directly). Make sure that the user's authentication scheme matches the accounts and groups used for controlling access... in other words, if you're using SQL to store username tokens, this won't work, because those tokens won't necessarily map back to domain users and groups/roles.
Create an IHttpHandler to serve up your non-ASP.NET files. From the ProcessRequest method, call the Server.MapPath(url) method on the incoming URL, then stream out the file using Response.WriteFile(filename). You will probably need to set the ContentType property first. And, (here's the bad news), you may still need to perform a declarative or imperative access check -- just having the entries in the web.config files may not work. See Custom ASP.NET Processing with HTTP for more information on writing your own handler. It's probably a good idea to make separate handlers for each content type. Once you've written one, you'll see how easy they are to make.
You could try (haven't tried this myself) to add <httpHandlers> elements to web.config files where you have additional <authorization> elements -- use the <remove> element to remove the inherited HttpHandler and add another one at the subfolder level (perhaps pointing back to the same class?). I'm not sure this will work, but it's worth a try.
Finally, if you really don't want to go through and do all this work, you could simply add more extension mappings in IIS. For example, take a look at How to: Register HTTP Handlers, you can add a mapping for .jpg files to the aspnet_isapi.dll (take a look at the existing mappings for .aspx and so on). You do not need to add an HttpHandler element to your web.config, because the machine level web.config already contains this entry:
<add path="*" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler" validate="true"/>
Please note that this may have very serious performance issues on your site.