TechQA.

Are there possible security concerns with exposing system.dll via web service?

184 views Asked by At

I'm curious what damage someone could do with just access to the System.dll namespace in C#.

I was playing around with dynamic code compiling and created a simple website which allows me to type in C# code. This is passed via web service to a class which complies and runs the code in a new thread and returns (code must return a string) the result via the WS and is displayed on the web page.

Right now I have a simple check to abort the thread if it runs for more than 5 seconds to ensure something simple like an infinite loop won't crash things.

"Hypothetically" speaking if I published this web application could someone do serious/any damage to a web server with just access to System.dll?

**bonus points for some sort of example! :)

c# web-services visual-studio-2010 compiler-construction dynamic-code
Original Q&A
2

There are 2 answers

1
sisve On BEST ANSWER
  1. You can create a new Thread (mscorlib.dll) that wont comply with your 5 second rule, download a remove binary with WebClient (System.dll) and executing it using Process (System.dll).
  2. Just a loop which creates thousands of forever-looping threads would consume a lot of cpu time.
1
Ben Voigt On

Not if you run in partial trust and limit permissions appropriately. If you don't... well, there are few bounds to the capabilities of System.dll and mscorlib.dll, since that's where reflection is implemented.

Related Questions in C#

Related Questions in WEB-SERVICES

Related Questions in VISUAL-STUDIO-2010

Related Questions in COMPILER-CONSTRUCTION

Related Questions in DYNAMIC-CODE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions