6

In order to use C# 6 features (like ?.) in a .cshtml file under MVC5, you need to include csc.exe and related files in your website's bin folder when you deploy it. Ok, I can understand the reasons for that.

However, this now means that there's a full C# compiler sitting on my webserver, with the same permissions as the website user. This makes me hesitate - in theory, an attacker could use it to run arbitrary code as if it were my website.

Is this actually a valid security concern?

I can see both sides: On the one hand, it's possible that you'd need the ability to execute arbitrary code already in order to be able to pass arbitrary code to the csc executable. On the other hand, I can see access to it being used to get access to internal website settings (like database connection strings) by running code that we'd never want to write.

Should I be concerned, or is this considered safe?

Community
  • 1
  • 1
Bobson
  • 13,498
  • 5
  • 55
  • 80
  • I think the only advantage a hacker would gain from this is the ability to upload source code into your web site and compile it locally rather than having to upload a compiled binary program. I can see how it might be possible that a firewall would block the hacker from uploading binary files to your server whereas it might allow them to upload source code - which is only text. I think this is a purely theoretical risk however since if they already gained sufficient access to your system to run the compiler they can also run other things that are far more dangerous. – bikeman868 Sep 29 '16 at 00:53

1 Answers1

2

As I understand it, MVC Razor views are in effect arbitrary C# code, which is recompiled on demand after any change.

So any hacker with access to the website server can run arbitrary C# code, in any version of MVC.

I agree it feels like a risk, because it is, but on the other hand you get the advantage of being able to change Views without republishing the whole website.