Security & Installation Issues

Hi, we are experiencing some problems with our hosting company to install the forum (full advanced version). Note, this hosting company (we'll leave their name out of this posting) does have all the requirements except for CDONTS. The following is their reply to our inquiry about installing the forum on our account, basically to confirm that all was kosher. If you would, please advise us on what to do regarding the mail & security issues they reaise below:

<!-- Start Hosting Company's Reply -->

After reviewing the requirements listed below, there are two obvious
potential issues. The first is the CDONTS requirement for email
functions, as CDONTS will not work on our servers because it requires
the web server to be running SMTP, and we do not run mail services on
our web servers, only on our mail servers. This is done for both
performance and security reasons.

Instead of using CDONTS the forum would have to be able to use one of
the other four mail components we have installed. We have ABMailer,
Dundas Mail, ASPEmail and ASPSmartMail components installed.

The second potential issue is the Guest "write" permissions. For
security reasons, the webspace (the 'www' folder and all subfolders and
all subdomains and subfolders) is strictly read-only permissions. If
you need permissions granted temporarily for the installation, simply
let us know and we can coordinate this with you to allow the
permissions for an hour or two. If this is a requirement for the actual
daily operation of the forum, the 'data' and 'databases' folders,
located at the same level as the 'www' folder, have write permissions
and files would have to be placed here and referenced in your scripts.

<!-- End Hosting Company's Reply -->

Thanks for any help you can provide!

1. I don't know what the problem is with regards to mail component. Just select ASPEmail from the admin control panel. CDONTS is not a requirement. It is there for those who do not have any commercial component installed.

2. write permission is only needed for one single dir (not the whole forum dir), upfiles, if you want to allow users to upload attachment. Without write permission, how can one upload files onto your server?

Thanks for the reply, Samuel. I'll consult with the hosting company and let you know how it
goes.

Dear Samuel:

Here is what our web hosting company said in response to your reply here in the forum. Please
let me know what to tell them. Thanks again for all your assistance.

<!-- Start Webhosting Reply -->

It would appear as though you require one of the following:

1. You need us to temporarily enable write permissions to a folder
within the www directory or the www its self so that the forum can be
installed.

--or--

2. You need a folder with permanent write permissions to reside within
your www folder.

Is one of these two correct? Please advise....

<!-- End Webhosting Reply -->

point 2 is correct.

If your host supports CDOSYS, you should use it. CDOSYS is very fast and stable, and is a lot better than those commercial components. It also supports external SMTP server too.

Dear Samuel:

I briefed our webhosting company on the situation, and they had the following reply/inquiry.
I wanted to run this by you as I wasn't sure. Thanks in advance for all your assistance!

<!-- Start Web Hosting Reply -->

Our security policy will not allow us to provide you with an actual
physical folder within your www folder with write permissions.

We can however provide you with a folder on the same level as your www
folder, and then create a virtual folder on the web server level that
will "virtually" reside within your web space.

Please let us know if this would be acceptable.

<!-- Stop Web Hosting Reply -->

The problem is with the hosting company. There is no way that a subfolder with write permission can cause security issues if permission is set up correctly (see point 2 below). I have not seen a hosting company that makes such statement. You have two options:

1) if they insist not to allow this permission, not a problem as this is not critical for this forum to function. Upload is an option that can be turned on/off in the admin control panel. Please keep this in mind. Anonymous upload is not crucial for the forum to function.

2) you can i) disallow parent path access for the entire application ii) disallow scripting for that particular folder (upfiles) so that there is no way that someone can upload/run/execute malicious code against your server, while allowing file attachment for messages (PM, event, avatars, profile pictures,etc.).

Having a folder on the same level as www is not an option here, as there is no way for the forum software to know where exactly the folder is relative to your forum directory. PLUS, everything uploaded to that folder is not accessible thru the web - it is of no use here either.

Hope they can understand the difference between write permission and security hole.

Teamflex, Samuel's second point is very correct. If it is ok with you, please let us know what the exact issue(s) are that your hosting company have with write permission. There is an FAQ that tells you how to disable the two things Samuel mentioned:

http://www.aspplayground.net/forum/m_376885/tm.htm

Hi Freddy:

We're not sure what the deal is with the hosting company but guess its either paranoia,
confusion, or both.

Thanks for the head's up on the alternative to the file attachment issue. I'll forward it
onto them, as I'm still waiting for their response.

Thanks for your help!

Is this fixed now?

ORIGINAL: Guest

Is this fixed now?

What are you referring to? I guess you are confused with the statement TeamFlex's hosting company made. Refer to my post above for detailed info. There is no security problem here in the software with regards to write permission or CDONTS.