I read an article the other day entitled "How to take over an IIS server in no time flat" by Mark Joseph Edwards.

In the article he boils down a presentation by Cesar Cerrudo presented at Microsoft's BlueHat Security Briefings. Here's a core excerpt:

Quote:

Cerrudo showed how to completely take over — or "0wn" — a system running Microsoft's Internet Information Services (IIS) and Windows Server 2003.

The attack involves hijacking a security token and using it to gain elevated privileges. That sounds rather complicated, and it is — unless you have some helper code. Microsoft hasn't yet fixed the problem, but neither had any working exploits been released.

That all changed last week. Complete working exploit code is now available on the Internet, as documented by the No More Root blog and others. People can use this code to upload to an IIS server a file that allows them to take over the system.

One of the front lines of of defense is to reduce the trustLevel of .NET applications:

Quote:

Fortunately, there are ways to reduce the risk. Regardless of whether you use IIS 6 or IIS 7, don't allow ASP.NET applications to run with full trust. Instead, configure the machine-level Web.config file so it forces applications to run with medium trust

See: http://msdn.microsoft.com/en-us/library/ms998341.aspx

Currently we have clients using BV Commerce 2004 and AbleCommerce 7 as ASP.NET shopping cart solutions. All of the BV Commerce sites crashed, while all of the AbleCommerce 7 sites respected the "Medium" trust level.

If you are a host or a merchant running Lagarde's StoreFront 6 or 7 or ASPDotNetStorefront -- or any other ASP.NET shopping cart application, you may want to look into this issue.

If you are running AspDotNetStorefront, it fully supports medium trust operation. There are a few caveats however. The application was designed to support standard medium trust. Some hosts applying additional restrictions to their medium trust policies, which can cause things to break, so make sure your host is using a fairly standard medium trust configuration. Secondly, by default medium trust does not allow access to sockets, which means any code that calls an external URL will fail. Because payment gateways, realtime shipping rates, etc. call third-party API, the host will have to allow access to sockets (or at least allow HTTP/HTTPS calls to the APIs' URLS) in order for realtime payment gateways and real time shipping to function. This is something that we generally see as standard practice amongst hosts running medium trust.