Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Community Forums
 Code Support: ASP (Non-Forum Related)
 ASP include security
 New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

D3mon
Senior Member

United Kingdom
1685 Posts

Posted - 31 March 2002 :  19:09:24  Show Profile  Visit D3mon's Homepage
Can anyone tell me - When an ASP page accesses the Filesystem to read an include file does it use a system account for the permissions or the anonymous web user account?
Somehow, someway I've an idea that I can turn my includes (with all my 'business logic' inside) into (kind of) fake COM objects by putting them in a seperate folder on the webserver and switching off read permissions for the standard web-user. Since they are only requested by the ASP parsing engine, I would have thought it would work. Can anyone see what I'm meaning?
COM objects kick ass, but my sysadmin won't allow them.

D3mon

Gidion
Starting Member

22 Posts

Posted - 31 March 2002 :  19:15:38  Show Profile
IMHO Windows users the IUSR Account.

But if I understand right, then you are worrying about people seeing your code in the asps. Right? If so, you can stop worrying (i think ) The Asps will not be shown even if you directly try to access them by typing their url.

---------------------------
MANIAC Development
http://mcc.in.tum.de/maniac
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 31 March 2002 :  19:17:08  Show Profile  Visit HuwR's Homepage
you can't turn an asp file into a com object no matter what you do to it or where you put it, if you switch of read access for the web user, it will not be able to find your asp files.

Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 31 March 2002 :  19:22:41  Show Profile  Send ruirib a Yahoo! Message
I also think the same. The anonymous internet user is the account used to access includes files in IIS 5.0. I understand that in IIS 4.0 for any file included with the VIRTUAL directive, the usual Access Control List permission were/are not checked.
This was changed in IIS 5.0, so I don't think you can do what you describe in your post.

Also from a security point of view it's always better to use an include file with an .ASP extension than using a .inc as sometimes happens. An .ASP file will always be executed by the server, so there is no way for the users to download them in normal circumstances.

-------------------------------------------------
Installation Guide | Do's and Dont's | MODs



Edited by - ruirib on 31 March 2002 19:25:43
Go to Top of Page

Gidion
Starting Member

22 Posts

Posted - 01 April 2002 :  15:09:13  Show Profile
Huwr: I don't think you can fully say that you can't turn asps into coms. I had to secure a bit of business logic a while back which was not allowed to be saved in "plain text". So I just turned all of the aspcode (It was easier to turn all of it into a com object than just the one part needing security) into a dll using vb. The dll just returned my html code and the asps took it and presented it.
Surely you can't turn every asp code into com but it worked for me.

---------------------------
MANIAC Development
http://mcc.in.tum.de/maniac
Go to Top of Page

D3mon
Senior Member

United Kingdom
1685 Posts

Posted - 01 April 2002 :  18:35:12  Show Profile  Visit D3mon's Homepage
Oh bugger. I'll have to rely on the ASP security then. I'm just concerned somebody might discover the ability to download an asp file. Luckily I had heard before that it is a good idea to name include files as .asp rather than .inc so they should be quite secure in that respect.

It is possible to convert ASP's into COM objects and visa-versa but it takes some re-coding as VB-script is slightly different to VB (mainly in that VBscript has some nice features pre-installed like the request and response objects and in VB they have to be added in.)
Thanks guys

Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 01 April 2002 :  18:46:07  Show Profile  Visit HuwR's Homepage
quote:

I've an idea that I can turn my includes (with all my 'business logic' inside) into (kind of) fake COM objects by putting them in a seperate folder on the webserver and switching off read permissions for the standard web-user



I actually said that you could not turn your asp files into COM objects by doing the above, I DID NOT say that you couldn't turn ASP into COM objects, that is an entirely different matter, and they are no longer asp files, but COM objects and behave completely differently.

Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.3 seconds. Powered By: Snitz Forums 2000 Version 3.4.07