Are there any security issues when exposing system.dll through a web service?

Question

Are there any security issues when exposing system.dll through a web service?

I'm curious what harm someone can do with just accessing the System.dll namespace in C #.

I played with dynamic code compilation and created a simple website that allows me to enter C # code. This is passed through a web service to a class that matches and runs the code in a new thread and returns (the code should return a string) the result via WS and is displayed on the web page.

Right now I have a simple check to interrupt a thread, if it has been running for more than 5 seconds, to provide something as simple as an infinite loop, it will not crash.

Hypothetically speaking, if I published this web application, could someone seriously or damage the web server with just access to System.dll?

** bonus points for some example! :)

+3

compiler-construction c # web services visual-studio-2010

Andrew Grothe Feb 06 '11 at 4:25

source share

2 answers

Not if you fulfill partial trusts and restrict permissions accordingly. If you do not ... well, it’s limited in scope System.dlland mscorlib.dll, as it is implemented.

0

Ben voigt Feb 06 '11 at 5:02

source share

sisve · Accepted Answer · 2011-02-06T04:40:00+0000

You can create a new Thread (mscorlib.dll) that does not match your 5 second rule, download the remote binary using WebClient (System.dll) and execute it using Process (System.dll).
Only a loop that creates thousands of threads with an infinite loop will consume a lot of CPU time.

Are there any security issues when exposing system.dll through a web service?

More articles: