Security :: FileIOPermission CreateDirectory Does Not Work
Oct 13, 2010
There appears to be a recent issue with how CreateDirectory resolves FileIOPermission that is causing issues on our server.
Reading through some similar posts on the issue there is a lot of misinformation being given out, so I am hoping to get some kind of clarification.
Given the following setup:
1. Windows Server 2003 SP2 running IIS6 with latest version of .NET Framework 3.5 SP1 fully patched
2. A web site created under IIS6 running under Medium Trust and with the Network Service user being given Full Control over the virtual directory.
3. Running System.IO.Directory.CreateDirectory with the following code:
System.IO.Directory.CreateDirectory(Server.MapPath("~/testfolder"))
4. Fails with:
[Code]....
It appears CreateDirectory is breaking the permissions somehow, as the medium trust rules are as follows:
<IPermission version="1" Read="$AppDir$" Write="$AppDir$" Append="$AppDir$" PathDiscovery="$AppDir$"/>
These rules all point to being able to create directories within the virtual directory/application folder. In fact I am certain this has worked in the past, but recently has stopped working.
Note that this is not an NTFS permissions issue, files can be written,read and deleted in the virtual directory, only CreateDirectory is restricted somehow.
So what is going on, has a recent security update changed this functionality so that Medium Trust no longer has the ability to create directories?
View 6 Replies
Similar Messages:
Nov 15, 2010
I have a Windows 2008 Server IIS7 running ASP.NET 3.5 SP1 and ASP.NET 4.0 in Medium Trust. I am trying to execute System.IO.Directory.CreateDirectory method. It works fine with ASP.NET 4.0 but under ASP.NET 3.5 SP1 I get : SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib. What is going on ? Is this an ASP.NET 2.0 (3.5 SP1) bug ?
View 5 Replies
Jun 3, 2010
I am using Itext sharp to create a pdf. I am adding an image and I keep getting this error
Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, ersion=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
it is this bit of code that is causing this
[Code]....
If i comment this out, the PDF builds and no errors are thrown (there is just no image)
I don't understand cause I am am trying to do is read a file.
View 2 Replies
Jul 16, 2010
I am trying to load some dll's into a MEF DirectoryCatalog within an ASP.NET MVC application:
var catalog = new DirectoryCatalog(HttpRuntime.BinDirectory, "Toptable.Mobile.*.dll");
When I run the app through the Cassini web server (i.e. F5) everything runs fine however when hosted in IIS(7) I get the following exception:
[code]....
The .NET trust levels for the application are set to "Full" both for the site and globally and I have set the trust level in web.config (system.web/trust) to Full.
View 2 Replies
Feb 22, 2011
Here is my code
[Code]....
"fileUpload" is the FileUpload ASP.NET control. The SaveAs method writes the user uploaded file to a specified location on the server. IT WORKS. That tells me that the ASP.NET process has the proper write permission to write to the file.The next line uses an assembly called PdfSharp which you can use to open PDF files and manipulate them. In this case, the line simply opens up the user uploaded file. That is where the error occurs. WTH?
It works on my production machine. It does not work on my local machine. It USED TO. It was never a problem before.So why would it be fine to WRITE to the server, but trying to open a file give an error? Makes no sense. Googling yields a suggestion to put <trust level="Full" originUrl="" /> under <system.web> in web.config. It does not work.
View 3 Replies
Feb 7, 2011
Environment: Windows 2008 R2 x64 [IIS7.5]
irectoryInfo("D:MySecretFolder")
I get thrown the following error.
'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed
Application pool is using NetworkService account as its identity and I have given that account full rights on that folder.
View 2 Replies
Jul 27, 2010
what is two way encryption and how does that work ?
View 2 Replies
Jun 7, 2010
i am having trouble running my application on iis when i enable rolemanagement. It works fine in the visual studio development server.
Is there anything i need to configure in iis to make that work?
This is the error page:
Server Error in '/testapp' Application.
Object reference not set to an instance of an object. Description: An unhandled exception occurred during the execution of the current web request. review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.
Source Error:
[Code]....
Stack Trace:
[Code]....
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1
View 2 Replies
Jan 20, 2011
i use visual studio 2010, SQL express 2008 on win server 2008
after running the wizard of security (created single user, set permissions like deny anonymous and allow the created user) and pressing F5 --> the site works just fine.
when i move the folder to IIS 7 and "convert to application" the login page appears but it wont accept the password i provided.
i was told that only Stackoverflow geniuses will answer this question.
i am using .Net 4, manged pipleine mode --> inegrated
IIS settings:
Anonymous Auth. --> Enabled
Forms Auth. --> Enabled
ASP.Net Impersonation, Basic Auth, Digest Auth, Windows Auth--> Disabled
web.config
<configuration>
<connectionStrings>
<add name="ApplicationServices" connectionString="data source=.SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient"/>
[Code]....
the username exists in aspnet_Users table and the username "encrypted" in aspnet_Membership table
View 1 Replies
Sep 23, 2010
This question is somewhat of a follow up to How serious is this new ASP.NET security vulnerability and how can I workaround it? So if my question seems to be broken read over this question and its accepted solution first and then take that into the context of my question.Can someone explain why returning the same error page and same status code for custom errors matters? I find this to be immaterial especially if this is advocated as part of the work around to it.Isn't it just as easy for the script/application to execute this attack and not specifically care whether or not it gets a http status code and more on the outcome? Ie doing this 4000 times you get redirected to an error page where on 4001 you stay on the same page because it didn't invalidate the padding?
I see why adding the delay to the error page is somewhat relevant but doesn't this also just add another layer to fool the script into thinking the site is an invalid target?What could be done to prevent this if the script takes into account that since the site is asp.net it's running the AES encryption that it ignores the timing of error pages and watches the redirection or lack of redirection as the response vector? If a script does this will that mean there's NO WAY to stop it?Edit: I accept the timing attack reduction but the error page part is what really seems bogus. This attack vector puts their data into viewstate. There's only 2 cases. Pass. Fail.
Either Fail, they're on a page and the viewstate does not contain their data. No matter what you do here there is no way to remove the fail case because the page just will never contain their inserted data unless they successfully cracked the key. This is why I can't justify the custom errors usage having ANY EFFECT AT ALL.Or Pass, they're on a page and the viewstate contains their inserted data.Summary of this vulnerability
The cipher key from the WebResoure.axd / ScriptResource.axd is taken and the first guess of the validation key is used to generate a value of potential key with the ciphered text.This value is passed to the WebResource.axd / ScriptResource.axd at this point if the decryption key was guessed correctly their response will be accepted but since the data is garbage that it's looking for the WebResource.axd / ScriptResource.axd will return a 404 error.If the decryption key was not successfully guessed it will get a 500 error for the padding invalid exception. At this point the attack application knows to increment the potential decryption key value and try again repeating until it finds the first successful 404 from the WebResource.axd / ScriptResource.axd
View 4 Replies
Jan 28, 2010
I have the following code. I simply want to select the security question and answer from the DB and do something if the result is true.
This is my code:-
[Code]....
This code always returns the result of "Invalid User Credentials", so this means it does not recognize the values from the DB. When i put something in that SHOULD match i still get the same. I dont get an error message but the logic here is to select security question and answer where the question is equal to the dropdown box and the answer is equal to the textbox. If there is a match then do something..
But this does not work..
You can see what i mean here:-
[URL]
If you select "What street did you grow up in?" from the dropdown and then put in "deeplish" in the security answer, the result should be "**EXISTS".
View 2 Replies
Feb 28, 2010
I need to retrieve the user data from the different web application. In the web.config I can specifydifferent profiles, but I cannot figure out how can I use it in the application. This is what I did:
<profile defaultProvider="i90PartnerProfileProvider">
<providers>
<clear/>
[code]...
View 3 Replies
Feb 26, 2010
We have two different users and we want to authenticate them through "IIS Client Certificate Mapping Authentication" in IIS 7. They have certificates issued by VeriSign.When user requests a website, a pop-up appears on their browser to select a certificate. User can see both certificates and selects one of them and hit ok.We could capture Certificate attributes using
following code
HttpClientCertificate cs = Request.ClientCertificate;
Response.Write("ClientCertificate Settings:<br>");
Response.Write("Certificate = " + cs.Certificate + "<br>");
until now every thig is fine.We mapped one of two certificates to an AD user using this
"Configuring One-to-One Client Certificate Mappings".http://learn.iis.net/page.aspx/478/configuring-one-to-one-client-certificate-mappings/I am trying to print if user is authenticated or not using following code. and it is never authenticated. I don't know what mapping does. It seems it does nothing.Response.Write (Request.ServerVariables["LOGON_USER"]) ;
Response.Write ("<BR>") ;
Response.Write ("AUTH_USER: ") ;;
Response.Write(Request.ServerVariables["AUTH_USER"]);
Response.Write ("<BR>") ;
Response.Write("IsAuthenticated :" + User.Identity.IsAuthenticated + "<br>");
Response.Write("HttpContext.Current.User.Identity :" + HttpContext.Current.User.Identity.IsAuthenticated + "<br>");
Response.Write("Request.IsAuthenticated :" + Request.IsAuthenticated + "<br>");
Can somebody help so that I can allow user only if he supplies a certificate that is mapped to a user. Currently any user having a certificate can get into the site, site is having anonymous authentication and certificate is required.
View 1 Replies
Dec 13, 2010
i'm working in my first integral website ,and i'm using the ASP.NET Login Controls but now i need to know how i can work with the user who loggedin ,i wanna visable his Data only not the all users data ,like for example the site is contain medical data for every user and when one user is logged in it will implement query to visual his Examination only.
View 7 Replies
Aug 17, 2010
I have a problem. I can't get current logged user to my application. Everything is fine on localhost. When I deployed an application
on IIS, it stopped working. I have Windows Authentication Enabled on my IIS. For every account which uses intranet, logged user is the same now, and it's an administration account.
Why application doesn't get real logged user, but administrator account ?
View 3 Replies
Nov 14, 2010
I have an ASP.Net 4.0 application that is using Forms Authentication and ActiveDirectoryMembershipProvider. It authenticates against Active Directory running on Windows Server 2008 R2.I use ChangePassword control for changing passwords.When the user changes the password he can log on for some time with the old password. My client feels this is a security problem with the application. Is there any way to make sure the old password does not work after the user changes it?Also, if I do iisreset on the web server, the old password stops working. The password must be cached somewhere in the web app.
View 3 Replies
Oct 19, 2010
I need to pass the credential of the logged in user to the DB, which is on a different server, is it that Impersation can only work if the DB is on the same machine as the web server? How can I flow the credential to the the server?
View 2 Replies
Oct 2, 2010
In the login control, the "Remember me next time" checkbox does not appear to work.
If I check it when logging in, when I log in the next time, even a minute later, I go to the login page again.
It seems the cookie is not being written to the client. Can't find it anywhere.
My web.config contains:
[Code]....
View 4 Replies
May 31, 2010
In my web.config I have configured a SiteMapProvider with securityTrimmingEnabled="true" and on my main master page is an asp:Menu control bound to an asp:SiteMapDataSource. In addition I have configured restricted access to all pages in a subfolder "Admin" (using another web.config in this subfolder).
If I put a sitemapNode in Web.sitemap...
<siteMapNode url="~/Admin/Default.aspx" title="Administration" description="" >
... only users in role "Admin" will have the menu item related to that siteMapNode. So this is working fine and as intended.
Now I have defined a URL route in Global.asax to map the physical file to a new URL:
System.Web.Routing.RouteTable.Routes.MapPageRoute("AdminHomeRoute",
"Administration/Home", "~/Admin/Default.aspx");
But when I use this route-URL in the SiteMap file...
<siteMapNode url="Administration/Home" title="Administration" description="" >
... it seems that security trimming does not work: The menu item is visible for all users. (Access to the page is still restricted though, so selecting the menu item by non-Admin users does not navigate to the restricted page.)
Question: Is there any setting I've missed so far to make security trimming working with URL routing in ASP.NET 4.0 Web Forms? Did I do something wrong? Is there any work-around?
View 1 Replies
Jun 24, 2010
I developed our feature rich web page which is constantly changing. I'm not much of a programmer but I know HTML and CSS pretty well. I have a need to create a couple of login page for prospects and end users to get to secured content. I put together a page that works perfectly in Microsoft Visual Web developer Express 2010. This includes a login page. Ironically, after learning how to do all this from a book, there is a web page that perfectly chronicles what I am trying to accomplish and the steps to do it. It's here: [URL]
I don't expect you to watch it, but there is a simple aspx page created for login and then users are created and the content is displayed after successful login. It works fine in m development environment, but when I post, nothing. Furthermore, twice in the last two days, after downloading my current site to my hard drive, and then posting back after adding this functionality, my FrontPage forms stopped working. I had to have my website restored from backup. The whole thing makes no sense and I can't find any precedence posted on any user forums. So any testing I do seems to wipe out my navigation structure.
I'm going to establish the site on a different server tonight and see if its configuration. If that works, I'm not sure where to g next. I'd appreciate any thoughts. The worst part is I can't post a test page or my Fropage contact forms stop working.
View 1 Replies
Feb 1, 2010
I have created a login page using the login control provided by the visual web developer and set up all the accounts and roles using the web admin tool. Everything works fine if I run the page within the developer but when I host it on IIS, The login does not work. It shows the invalid password message from the login control.
View 3 Replies
Jan 21, 2010
I used login controls in my web site to authenticate users.
What I used are: CreateUserWizard, LoginView, Login, LoginStatus, and LoginName.
They are working excellent in Google Chrome. When I was working on the project my default browser was Google Chrome, that is why when I run the project from Visual Studio 2008 everything was alright.
However, later when I decided to check all functionalities on other browsers, Login controls don't work on any version of Opera and IE.
For example, when I fill the CreateUserWizard and click Create User button, it does very fast Postback, then nothing happens at all (no user created in the database).
Same with Login control, when I try to login with existing user details, it does very fast PostBack again and doesn't authenticate.
View 2 Replies
Feb 11, 2011
It seems to work just fine but it resets the users password, emails it to them and then the user can not log in with the new password.
View 1 Replies
Jun 4, 2010
My Windows Server 2008 server hosts an ASP.net application that uses impersonation. The application works as long as the user being impersonated remains logged on to the server. However, when the user logs off, clients can no longer view the web pages. They get a cryptic error instead. How can I configure the server to work without the impersonated user remaining logged on?
View 5 Replies
Apr 1, 2010
Login Control RememberMeText doe not work?
[Code]....
View 7 Replies