did my host tell me the truth? (asp.net & security) help needed!
Using a .aspx page I can view and download any file from anyone on my shared host. This is a concern since some people (me included) put their database login in their web.config file or in standard .asp or .php put it somewhere in their directory. I told my webhost about this security problem and this is what they wrote back to me:
--------------------------
Sorry for the delay in answering this ticket -- it seems that it was missed.
On Windows, .NET runs as a single Windows user (either ASPNET on Windows 2000 or Network Service on Windows 2003) and because of this, it exposes the problem that you have seen. This is why by default we do not give write access to this user but for simplicity, read access is given.
A lot of .NET programmers will tend to store their username/password information for databases in a .dll to help mitigate the problem.
I'm afraid that with shared web hosting this is a flaw you will see on pretty much every host. If security is your #1 concern for your site then I would not recommend shared web hosting.
--------------------------
So, is that truly the case? I've never noticed this before, but it seems like a pretty nasty .net security hole. Are most hosts like this? Do these guys just not know how to set up security? Now, I haven't exploited this, but it seems like this would be a good way for wanna be hackers to get in and mess some stuff up, and I can't believe this is the case for all servers running asp.net!?
Thanks!
