AbleCommerce Shopping Cart Software

I read an article the other day entitled "How to take over an IIS server in no time flat" by Mark Joseph Edwards.

In the article he boils down a presentation by Cesar Cerrudo presented at Microsoft's BlueHat Security Briefings. Here's a core excerpt:

Cerrudo showed how to completely take over — or "0wn" — a system running Microsoft's Internet Information Services (IIS) and Windows Server 2003.

The attack involves hijacking a security token and using it to gain elevated privileges. That sounds rather complicated, and it is — unless you have some helper code. Microsoft hasn't yet fixed the problem, but neither had any working exploits been released.

That all changed last week. Complete working exploit code is now available on the Internet, as documented by the No More Root blog and others. People can use this code to upload to an IIS server a file that allows them to take over the system.

One of the front lines of of defense is to reduce the trustLevel of .NET applications:

Fortunately, there are ways to reduce the risk. Regardless of whether you use IIS 6 or IIS 7, don't allow ASP.NET applications to run with full trust. Instead, configure the machine-level Web.config file so it forces applications to run with medium trust

See: http://msdn.microsoft.com/en-us/library/ms998341.aspx

Other ASP.NET shopping carts crashed when we tried this . . . . But AbleCommerce 7 sites ran perfectly.

Now, if we can just get all of our other ASP.NET shopping cart clients on to AbleCommerce 7, there will be a happy ending for everyone on this issue. Meanwhile, other ASP.NET shopping cart applications have become a potentially significant liability for us.

Hello Sean,

One of our early design goals was to run in medium trust, which is pretty standard in shared hosting plans. Sounds like our goal was met. Thanks for the information.