pvg1975
asked on
IDENTIFY A COMPUTER
Hi guys,
Is there any way to identify a computer when browsing my site? It is for a chat application, and I was wondering if it is possible to get the PCs mac address. I won't use the IP address since it may change if the user does not have an static IP address
Thanks!
Is there any way to identify a computer when browsing my site? It is for a chat application, and I was wondering if it is possible to get the PCs mac address. I won't use the IP address since it may change if the user does not have an static IP address
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just curios, what is the risk of that code on the server? I would imagine it has something to do with allowing IUSR to access the network and write to disk.
Sounds like something that could be wrapped up into a DLL and sold for $10. :)
getMac.dll $10 order yours today :)
Also, I think in ASP.NET there are some special accounts for performing disk access and netowkr functions from your ASPX pages without granting permissions to ISUR. That should make it safe...no?
2cents
Sounds like something that could be wrapped up into a DLL and sold for $10. :)
getMac.dll $10 order yours today :)
Also, I think in ASP.NET there are some special accounts for performing disk access and netowkr functions from your ASPX pages without granting permissions to ISUR. That should make it safe...no?
2cents
ASKER
Hi peterxlane!
Same question than chisholmd. What's the risk of having that code on the server?
Same question than chisholmd. What's the risk of having that code on the server?
To be honest, I am just going based on what I have heard other users say in regards to running command line commands in your ASP code.
https://www.experts-exchange.com/questions/21287474/ASP-line-command.html
https://www.experts-exchange.com/questions/20579292/Running-network-commands.html
Once you have the permissions set correctly, this line:
<%
sh.run "%comspec% /c nbtstat -A " & strIP & " >" & Server.MapPath(strIP) & ".txt",0,true
%>
is executing that command line, so if it could be changed to:
<%
sh.run "%comspec% /c delete c: >" & Server.MapPath(strIP) & ".txt",0,true
%>
It would effectively delete the contents of the C: drive. This is the type of example that people always mention when pointing out that this type of thing is a security issue, but what I have never understood is that if someone had access to modify your source code, then theoretically they could make it do anything. One thing that you would obviously want to avoid is to give the user a text field and allow them to execute whatever they type in...clearly that would be a big security issue. But since the above code is merely passing the IP address and executing a specific command, I am not really clear on how it is a security issue, other than what others have said...
https://www.experts-exchange.com/questions/21287474/ASP-line-command.html
https://www.experts-exchange.com/questions/20579292/Running-network-commands.html
Once you have the permissions set correctly, this line:
<%
sh.run "%comspec% /c nbtstat -A " & strIP & " >" & Server.MapPath(strIP) & ".txt",0,true
%>
is executing that command line, so if it could be changed to:
<%
sh.run "%comspec% /c delete c: >" & Server.MapPath(strIP) & ".txt",0,true
%>
It would effectively delete the contents of the C: drive. This is the type of example that people always mention when pointing out that this type of thing is a security issue, but what I have never understood is that if someone had access to modify your source code, then theoretically they could make it do anything. One thing that you would obviously want to avoid is to give the user a text field and allow them to execute whatever they type in...clearly that would be a big security issue. But since the above code is merely passing the IP address and executing a specific command, I am not really clear on how it is a security issue, other than what others have said...
Granted that does sound nasty and I am not disagreeing. However, I would imagine that the shell is going to be running in the context of IUSR so delete C:\*.* probably wouldn't get very far. Also, in your example your not using any user supplied parameters so you shouldn't have to worry so much about them injecting some nasty command.
In general I'd guess that granting IUSR write access so it can create the text files is probably more dangerous then simply shelling out a command (as long as there is no chance for injection).
Is someone hasn't already this should be (could be) written as an activeX dll. Maybe I'll do that tonight.
*To be clear I am not saying it is 100% safe to do anything mentioned, I am just discussing the reltive risks.
In general I'd guess that granting IUSR write access so it can create the text files is probably more dangerous then simply shelling out a command (as long as there is no chance for injection).
Is someone hasn't already this should be (could be) written as an activeX dll. Maybe I'll do that tonight.
*To be clear I am not saying it is 100% safe to do anything mentioned, I am just discussing the reltive risks.
ASKER
I think I will use cookies :)
Thanks guys!
Thanks guys!
<%
Function GetMACAddress(strIP)
Set net = Server.CreateObject("Wscri
Set sh = Server.CreateObject("Wscri
sh.run "%comspec% /c nbtstat -A " & strIP & " >" & Server.MapPath(strIP) & ".txt",0,true
Set sh = nothing
Set fso = Server.Createobject("Scrip
Set ts = fso.opentextfile(Server.Ma
macaddress = null
Do While Not ts.AtEndOfStream
data = ucase(trim(ts.readline))
If instr(data,"MAC ADDRESS") Then
macaddress = trim(split(data,"=")(1))
Exit Do
Else
macaddress = "Cannot Obtain Mac Address"
End if
Loop
ts.close
Set ts = nothing
fso.deletefile Server.MapPath(strIP) & ".txt"
Set fso = nothing
GetMACAddress = macaddress
End Function
%>