Best way to use a dll from an ASP script - security

I'm writing some ASP code to service requests from a simple HTML form on my company's intranet. The code needs to call methods from a (COM) dll. I'm using the code:
myObject = Server.CreateObject("myDLL.myClass")
but it's giving an error at this line. I'm not sure if the dll is registered on the server, but I suspect it may not be. I'm not sure how to find this out.
If it's not registered, is it possible/best practice to:
Use the dll without registering it on the server (I have the .dll file);
Remotely register the dll safely using ASP code; or
Do I need to contact the IT dept to get it registered?
I'm worried that option 2 might freak the IT department out and also possibly break something - but I have a deadline and it's unlikely that they will get around to registering anything before then.
Is there any way I can use the dll without involving them, purely with ASP?
I've also got this question open regarding running the dll on the client's computers by embedding in the intranet form, which is my preferred method if it's possible. It's the same dll, and it's already registered on all clients' machines but so far I've been unable to get it passed the IE intranet security settings.
ANY help/comments/suggestions on this or my other thread would be greatly appreciated.
Thanks for reading.

you need to register the DLL AFAIK, either with a setup program that does it, or manually with regsvr32 (or similar)

Related

Is my site hacked?

I have my client website www.healthiva.com.. this is developed in .Net C#. In global.asax i have a functionality to send alert email to development team, if any unhandled exceptions are thrown in the whole application. Some times dev team gets email like "The file '/ivr/VAD_Deploy1.aspx' does not exist", "The file '/ivr/mxm_3cx/mxm30.aspx' does not exist".. Our application does not have these files obviously & hence the error. Now my worry is, is someone trying to hack our site by running some scripts ? if yes, please suggest some good security policies.. (the site already uses SSL)..
You are safe
I've just done a couple of tests to see, and it appears that you are getting these errors because other resources in your application are trying to access these directories. Rather than handle these errors and provide a user safe code, it's simply throwing a default server error. Your website is not being hacked - it's just badly written (Sorry, no offence) and lacks sufficient logging techniques.
However, that does not mean that you are still 100% safe. You can either consult with a private security expert or look at automated tools online to test the security of your website. I'd recommend doing some research on the OWASP Top 10 for this, and how to prevent these measures. Most hackers will try to go for one of these methods before trying more robust and niché attacks.
EDIT: Relevant image showing what happens when the server throws an exception

How to get information about UWP app?

How can I get information about an UWP application on Windows 10 from another application?
As a minimum, I am interested in application name and default tile. Then, I would like to be able to learn as much as possible, of course.
Some UWP apps can be linked to an EXE. That is, their main window is created by an EXE. This helps. At least, I know the location of "resource.pri", which presumably can be read.
But, there are apps which do not have EXE, and "hosted" by wwahost.exe instead. These are black boxes to me. Is there any way to know what is inside?
I would appreciate any hints.
Thanks
It's possible, but very different than what we do for desktop apps. I can share you the possible solution but there are some security issues, so I suggest you contact Microsoft to get a better way(maybe open some APIs for this kind of information) ensure your users have a safe system.
Here is what we need to do to get these information.
Enum WWAHost process.
You can enum "File type" items loaded into WWAHost, and find the one which is in this format: "C:\Program Files\WindowsApps\xxxx". When you view the app in Task Manager and view its properties, you will find it is a folder property windows. And you can also use Process Explorer to check the WWAHost process, and you will find the folder format I mentioned.
(Security Issue) To get the package name, version and more information, you have to access the folder I mentioned above. By reading the AppxManifest and dumping the resource.pri by using "makepri dump" and reading the generated resource.pri.xml, you will be able to get many information. But, we have to use special way to get access to the windowsapps folder and it will raise security risk to your users' OS(and maybe other issues). But if it is for your personal use, it's OK.

Encrypt or Protect asp application code

My classic asp application would run on local system of users via internet browser. The code file resides in the root folder of the C: drive. But I want that the code cannot be seen by the users, and even if the file is opened then the code is not readable easily, like encrypted or encoded. I want to protect the code from being copied. Is it possible? If so, then how?
Other way is to Host application on one System and if other system is in connected in LAN they can use same site via hosted URL.
To deploy code in each system is not a good practice to secure.
I will agree with everybody else, suggesting a different design, but I will give you an answer that I think is applicable if you're dead set on what you're doing:
Write your server-side logic in Visual Basic 6 or .NET and expose as COM objects.
(A wilder idea would be to implement your own ISAPI filter, but I am not positive if the APIs allow you to intercept the loading of the source... thinking and googling around make me think that that's not possible, but not 100% sure)
I have done this with COM objects.

SharePoint - Posting and Retrieving files Automatically via VBScript

I'm going to need to push and pull files from a SharePoint site that is not hosted by my company (it is external). I'm only going to get a few days (if that) to get this working so I don't have much time to experiment.
To add to my requirements/headaches, I'm going to have to implement this with VBScript. .Net would be preferred for me but for reasons beyond my control I have to use VBScript. I don't have direct access to my VBScript web server, so I won't be able to implement this in .NET and use that object from VBScript.
I'm looking for anything that would help me accomplish this goal quickly and effectively. I found this post and am wondering if the PUT/GET method used here would work for me?
http://weblogs.asp.net/bsimser/archive/2004/06/06/149673.aspx (I got this link from: Sharepoint API - How to Upload files to Sharepoint Doc Library from ASP.NET Web Application)
To top all of this off, I've never done any programming or administration of a SharePoint site. My knowledge of SharePoint is that of a user. I'm aware that there is an API from the few Google searches I did. However, my readings make me believe that my code would need to run on or in proximity to the SharePoint server. I don't believe I have the proximity I need to use the API.
Sincere thank yous!
Regards,
Frank
Progress Update: I'm still researching this. Tom pointed out that the example I had posted is probably from an old SharePoint version. His recommendation to use .Net to develop a prototype on Web Services is good but I'm hoping for more detailed answers.
I'm now wondering if I can accomplish what I need to accomplish using HTTP PUT and GETs. At my company, for a specific project we do use HTTP PUT and GETs to do something like this. We have files that are stored on an HTTP server and this is how we post and retrieve them.
Would this work over SharePoint or would SharePoint require special handling? Basically, do I have to use Web Services?
Progress Update 2: This link is helpful... Upload a file to SharePoint through the built-in web services
But I am still looking for more information on this topic... Thanks all...
You'll need to use the sharepoint lists web service for metadata and get/put for uploads. That link looks to be for SharePoint 2001, so hopefully you can use the newer/simpler version.
I recommend building something in .net first to get the web service calls worked out - some of the parameters can be quite tricky to debug, and I wouldn't want to be doing that on a remote vbscript page.
Assuming there is no metadata required and the SharePoint library is being used like a file server you can do most of what you want with PUT/GET, but you will probably need a call to GetListItems to find the urls to download.
There's an example on my blog of a lower level call to that web service - it's javascript, but probably close enough.
http://tqcblog.com/2007/09/24/sharepoint-blog-content-rating-with-javascript-and-web-services
What setting up the .net version gets you is very quick set up of a connection to the server (just add a web service reference in visual studio) so you can get the query and queryoptions strings working to retrieve the items you want. Once that works you just have to put it all together as a string including the soap stuff for use without all the nice tools.
I'm a little unclear on the context of the implementation and the prerequisite of having to use VBScript. Are the files being moved from one server to another server or from a user's desktop to this SP server? or are they being accessed via software like Excel?
The first thing that sprang to my mind (this may sound crazy) was using the Office application to make the connection. Your script would call up Excel (just as an example) and pass it the vba needed to initiate the Open File, and then provide the full path to the file that needs to be retrieved. Then have it do a Save As to the location that needs the file. Do the same thing but in reverse for putting files on the SharePoint server.
The tricky part, obviously, is getting the script to interface with the Office app. I know this can be done with the Windows version of PHP, but I don't want to get into anything specific without knowing your situation.
I seriously wonder if you are going to be able to use VBScript to call the SharePoint web services. I haven't looked at the SharePoint web services for a while so I don't remember exactly how they are defined. I thought the web services were SOAP calls though which makes it trickier than
I'm not sure I tried to use Excel to call some web services with the MSSOAP.SoapClient and it seemed this component was unable to handle any WSDL types beyond the very simple strings. Anything with nested data would not work. Instead, you would need to create a COM object to process the conversion which is a major hassle. If you are able to use XMLHTTP component then it might be possible with VBScript, but I'm not sure if it will work with SharePoint web services.
I'm not sure what you mean, "I don't have direct access to my VBScript web server." Is your web server in VBScript (ASP)? Or did you mean SharePoint server?
You might consider C# Script (cs-script) as a scripted solution that uses .NET. I have had good success with it, although it does need to be installed on the computer that runs the script.
I'm integrating between two companies. According to this book, we should use AD FS to accomplish what I'm looking for.
I still don't actually have this working though so if someone has more information I will change the answer to this question.
http://books.google.com/books?id=-6Dw74If4N0C&pg=PA27&lpg=PA27&dq=sharing+sharepoint+sites+external+adfs&source=bl&ots=ojOlMP13tE&sig=FjsMmOHymCOMGo7il7vjWF_lagQ&hl=en&ei=ytqfStClO5mMtgejsfH0Dw&sa=X&oi=book_result&ct=result&resnum=5#v=onepage&q=&f=false
I never really received a answer to this that worked out but this is no longer an issue for me.
What we ended up doing is scraping the html. In effect, we put together our own ad-hoc web service processor where instead of SOAP, html is used to communicate. Then we execute GETs, POSTs, and etc to work with the web service.
We had done something similar in VBScript in for WebDAV -- we had a class and created a new one to work with SharePoint.

Security implications of using .dll's

Is it practically possible for a malicious developer exploit your application by swapping a genuine .dll file for a modified one.
If so are there steps that can be taken to protect an app. Are there some types of functionality that should not be placed in .dlls for example?
As long a signature of the exports is known is very easy to replace a DLL.
It's also possible to reverse engineer the signature if it is not known.
To help prevent this problem you can use Code Signing, so you can verify the signature before using the DLL.
For .NET applications, you can sign the DLL. I'm not sure if something similar exists for non-.NET assemblies.
Anyone with write permissions to your application installation directory will also be able to modify your executable file, so trying to protect against DLL substitution is far from sufficient for many attack scenarios. Is there some particular scenario about which you are concerned?
You should also consider DLL injection, where by a malicious user can for example view passwords in your password fields.....
check out these links:
http://en.wikipedia.org/wiki/DLL_injection
http://www.codeproject.com/KB/DLL/DLL_Injection_tutorial.aspx

Resources