Security issue with including csc.exe in bin folder for website

Question

Security issue with including csc.exe in bin folder for website

In order to use the C # 6 features ( .cshtml ?. ) In the .cshtml file in the MVC5 section, you need to include csc.exe and related files in the bin folder of your website during deployment . Well, I can understand the reasons for this.

However, now that means that my web server has a complete C # compiler with the same permissions as the website user. It makes me shy - theoretically, an attacker could use it to run arbitrary code, as if it were my site.

Is this a real security issue?

I can see both sides: on the one hand, you may need the ability to execute arbitrary code in order to be able to pass arbitrary code to the csc executable. On the other hand, I see access to it, which is used to access the internal settings of the website (for example, the database connection string) by running code that we will never want to write.

Should I be worried, or is it considered safe?

+6

security c # .net asp.net-mvc

Bobson Jul 19 '16 at 23:15

source share

1 answer

buffjape · Answer 1 · 2017-01-24T09:24:11+0000

As I understand it, MVC Razor views are actually arbitrary C # code, which, after any changes, is recompiled on demand.

Thus, any hacker with access to the website server can run arbitrary C # code in any version of MVC.

I agree that this seems like a risk, because it is, but on the other hand, you get the advantage of being able to modify Views without republishing the entire website.

Security issue with including csc.exe in bin folder for website

More articles: