Hi,

I'm considering adding the ASPUpload component into my offerings but I'm not quite sure what the security impact of this will be since the component will allow a user to browse the server. How would one set the security for the component in a hosting (multi user) environment so not to compromise the server and/or the other users webroots.

Any help would be largly appreciated!

Cheers,
DrAtomic

...because its relatively easy to write an ASP script to browse your win server (assuming it has the right permissions)..

What I feel is a greater risk that ASPuload can actually down chunks of stuff and upload anything to the server (depending on permissions again)..

The best way to use this component is to make sure that you set separate permissions for each website(by assigning each site different user account). Then making sure these accounts are given the lease amount of right (i.e guest privelege only).


Cheers.

Thankx for the response however I should have asked my question a little bit different. Ok let me clarify my question; what I meant to ask was:

If I install the component ASPUpload onto my W2k server what will be it's security context?

What I want to achieve is that my clients can use the ASPUpload functionality within their own user directories but nowhere else, using a as clean as possible solution.

Kind regards,
DrAtomic

the security context for the component (which is actually just a .dll file) is set to everyone(read). Then again this depends on how you have set your permissions and inheritance initially. The security context can be easily changed by just just changing the file level permission of the dll file in question.

Basically what will happen when a client runs the component from within their website, is that the component is granted the same rights of the context of the user account which the site belongs to (the rights are cumulative except for Deny).

In the end it all falls back on how carefully you've set your IIS/Website permissions. And not the so much the component security itself. The component security permissions are only usefull if you want to selectively limit and allow certain clients access to this component

cheers!

Thanx Mattan,

Everything has been setup so that a user cannot go beyond his/her home folder so that should do it for the component as well then!

Cheers,
DrAtomic