Is it safe to give the Asp.Net user account modify permissions to the root of the website?

If I give the Asp.Net user account (Network Service for Win 2003) modify rights to the root folder of my public website can a user send a request to the server to somehow modify the .aspx files of my website? What are the risks of doing this?

Answers


Short answer: Don't do it

Long answer: Still don't, but here is one scenario followed through that might make you think twice (there are prob many many more):

  1. If you have an file-upload control anywhere on your site, say for image uploads, and an attacker manages to compromise your security (don't forget this does not necessarily mean breaking your site - they might just hijack someone's session or manage to guess/steal password) they can upload a malicious script (.aspx page). The site has "modify" permissions so it can write the file to disk.

  2. I see you tagged the question with .net, so imagine they upload an .aspx page with some <script runat="server">...</script> that reads the contents of the web.config file and displays them.

  3. Did you put any database connection strings with passwords in clear text in your web.config file? Cos' if you did, imagine their next step is to upload a new .aspx file that connects to those databases... they can then read your databases, delete data, change data... They probably don't really need the username/password because they can just use your named connection strings, but that information could be useful for another attack that I haven't thought of here.

I think you see where this scenario goes...


Is it safe to give the Asp.Net user account modify permissions to the root of the website?

100% definitely NOT.

can a user send a request to the server to somehow modify the .aspx files of my website?

Only if you build a page that does this in response to the request. Otherwise, no, not in one request.

What they can do is things like submit forms with way more characters in each field than your page was built to handle and attempt to create a buffer overflow they can exploit. But that happens over multiple requests. Or they can create an interactive http session and look for vulnerabilities to hijack your process that way.


Need Your Help

Match digits in awk

regex awk posix-ere

I'm stumped! Trying to write an awk regex to match a string against 11 digits.

reading large command output with clojure

clojure clojure-contrib

I'm using the sh function from the clojure.java.shell command to read the very large output of a command. The output is around 60meg of data.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.