Loading an ActiveX DLL is superslow

I have developed a Visual Basic 6.0 ActiveX DLL to help to interact with
some ASP pages.
I have copied the compiled DLL in C:\INETPUB\WWWROOT in my XP Pro machine.
After making some configuracion changes for solving the problems with the
message:

Server object error 'ASP 0178 : 80070005'
Server.CreateObject Access Error
The call to Server.CreateObject failed while checking permissions. Access is
denied to this object.

Basically, the changes were:
1. In IIS configuration check "Anonimous access"., Application protection
in "Low", Execution permissions, "Commands and executables."
2. Use CACLS to give the user IUSR_ full access to
MSVBVM60.DLL

Now I see that when I call the ASP page that uses the ActiveX DLL, in
Internet Explorer 6, it lasts about 5 minutes before I get the results.
After this first time, the response time is as usual.

Why this first loading is so slow, and how can I correct it ?

Re: Loading an ActiveX DLL is superslow

"Jaime Palli" wrote in message
news:%23Y4%23LEc$HHA.5160@TK2MSFTNGP05.phx.gbl...
> I have developed a Visual Basic 6.0 ActiveX DLL to help to interact with
> some ASP pages.
> I have copied the compiled DLL in C:\INETPUB\WWWROOT in my XP Pro machine.
> After making some configuracion changes for solving the problems with the
> message:
>
> Server object error 'ASP 0178 : 80070005'
> Server.CreateObject Access Error
> The call to Server.CreateObject failed while checking permissions. Access
is
> denied to this object.
>
> Basically, the changes were:
> 1. In IIS configuration check "Anonimous access"., Application protection
> in "Low", Execution permissions, "Commands and executables."
> 2. Use CACLS to give the user IUSR_ full access to
> MSVBVM60.DLL
>
> Now I see that when I call the ASP page that uses the ActiveX DLL, in
> Internet Explorer 6, it lasts about 5 minutes before I get the results.
> After this first time, the response time is as usual.
>
> Why this first loading is so slow, and how can I correct it ?
>

Does the Sub Main do anything?
Does the DLL make DB connections?


--
Anthony Jones - MVP ASP/ASP.NET

Re: Loading an ActiveX DLL is superslow

After further investigation with SysInternal's filemon program, I have seen
that the problem was in the permissions of the user IUSR_ over
some folder where a log file is written. Assigning permissions for this user
to the folder solved the problem.

I have some more questions about security:

Basically the system is composed of two components: a very simple .asp page
that serves as an interface to a Visual Basic 6.0 ActiveX dll.
The asp page does the following:

Set oWD = Server.CreateObject("AmWebDLL.clsWebDLL")
sData=oWD.GetData(Request.QueryString("action"),Request.Quer yString("data"),Request.QueryString("param"))
Response.Write sData

The dll reads and writes records to an Access database, located outside the
public web folders, and writes log information to a .txt file located in the
public web folder.
The folder where the database resides has other company internal programs
and databases.
As the IUSR_ must have read and write permissions over the
internal folder, my question is about to know if this is a security leakage.
Does this model expose the internal folder to outside users and hackers?





"Anthony Jones" escribió en el mensaje
news:%23e1ggVh$HHA.464@TK2MSFTNGP02.phx.gbl...
> "Jaime Palli" wrote in message
> news:%23Y4%23LEc$HHA.5160@TK2MSFTNGP05.phx.gbl...
>> I have developed a Visual Basic 6.0 ActiveX DLL to help to interact with
>> some ASP pages.
>> I have copied the compiled DLL in C:\INETPUB\WWWROOT in my XP Pro
>> machine.
>> After making some configuracion changes for solving the problems with the
>> message:
>>
>> Server object error 'ASP 0178 : 80070005'
>> Server.CreateObject Access Error
>> The call to Server.CreateObject failed while checking permissions. Access
> is
>> denied to this object.
>>
>> Basically, the changes were:
>> 1. In IIS configuration check "Anonimous access"., Application
>> protection
>> in "Low", Execution permissions, "Commands and executables."
>> 2. Use CACLS to give the user IUSR_ full access to
>> MSVBVM60.DLL
>>
>> Now I see that when I call the ASP page that uses the ActiveX DLL, in
>> Internet Explorer 6, it lasts about 5 minutes before I get the results.
>> After this first time, the response time is as usual.
>>
>> Why this first loading is so slow, and how can I correct it ?
>>
>
> Does the Sub Main do anything?
> Does the DLL make DB connections?
>
>
> --
> Anthony Jones - MVP ASP/ASP.NET
>
>

Re: Loading an ActiveX DLL is superslow

"Jaime Palli" wrote in message
news:OUkY3Y4AIHA.1212@TK2MSFTNGP05.phx.gbl...
> After further investigation with SysInternal's filemon program, I have
seen
> that the problem was in the permissions of the user IUSR_
over
> some folder where a log file is written. Assigning permissions for this
user
> to the folder solved the problem.
>
> I have some more questions about security:
>
> Basically the system is composed of two components: a very simple .asp
page
> that serves as an interface to a Visual Basic 6.0 ActiveX dll.
> The asp page does the following:
>
> Set oWD = Server.CreateObject("AmWebDLL.clsWebDLL")
>
sData=oWD.GetData(Request.QueryString("action"),Request.Quer yString("data"),
Request.QueryString("param"))
> Response.Write sData
>
> The dll reads and writes records to an Access database, located outside
the
> public web folders, and writes log information to a .txt file located in
the
> public web folder.
> The folder where the database resides has other company internal programs
> and databases.
> As the IUSR_ must have read and write permissions over the
> internal folder, my question is about to know if this is a security
leakage.
> Does this model expose the internal folder to outside users and hackers?
>
>

Unless the folder where the database resides is placed in somewhere that can
be accessed via a URL then a hacker can't simply form a URL to fetch it.

However you should be careful about how you create SQL code by using
parameterised queries and not concatenating any values received from the
client into a SQL string.

BTW how big might the content of the querystring values become?

--
Anthony Jones - MVP ASP/ASP.NET

Re: Loading an ActiveX DLL is superslow

This is the main reason I have tought in using the dll, controlling
parameters.
As far as I can, I try to control what information is coming in the
parameters, and reject anything else.
The parameters that come to the dll from the client are simple, they are not
SQL queries, and they are not appended to internal dll SQL queries.
Therefore I can control the maximum length of what is coming.
Thanks



"Anthony Jones" escribió en el mensaje
news:%236F5I14AIHA.2268@TK2MSFTNGP04.phx.gbl...
> "Jaime Palli" wrote in message
> news:OUkY3Y4AIHA.1212@TK2MSFTNGP05.phx.gbl...
>> After further investigation with SysInternal's filemon program, I have
> seen
>> that the problem was in the permissions of the user IUSR_
> over
>> some folder where a log file is written. Assigning permissions for this
> user
>> to the folder solved the problem.
>>
>> I have some more questions about security:
>>
>> Basically the system is composed of two components: a very simple .asp
> page
>> that serves as an interface to a Visual Basic 6.0 ActiveX dll.
>> The asp page does the following:
>>
>> Set oWD = Server.CreateObject("AmWebDLL.clsWebDLL")
>>
> sData=oWD.GetData(Request.QueryString("action"),Request.Quer yString("data"),
> Request.QueryString("param"))
>> Response.Write sData
>>
>> The dll reads and writes records to an Access database, located outside
> the
>> public web folders, and writes log information to a .txt file located in
> the
>> public web folder.
>> The folder where the database resides has other company internal programs
>> and databases.
>> As the IUSR_ must have read and write permissions over the
>> internal folder, my question is about to know if this is a security
> leakage.
>> Does this model expose the internal folder to outside users and hackers?
>>
>>
>
> Unless the folder where the database resides is placed in somewhere that
> can
> be accessed via a URL then a hacker can't simply form a URL to fetch it.
>
> However you should be careful about how you create SQL code by using
> parameterised queries and not concatenating any values received from the
> client into a SQL string.
>
> BTW how big might the content of the querystring values become?
>
> --
> Anthony Jones - MVP ASP/ASP.NET
>
>

Re: Loading an ActiveX DLL is superslow

"Jaime Palli" wrote in message
news:Ol%23cKZ5AIHA.5160@TK2MSFTNGP05.phx.gbl...
> This is the main reason I have tought in using the dll, controlling
> parameters.
> As far as I can, I try to control what information is coming in the
> parameters, and reject anything else.
> The parameters that come to the dll from the client are simple, they are
not
> SQL queries, and they are not appended to internal dll SQL queries.

Thats good.

> Therefore I can control the maximum length of what is coming.

You can't control the maximum length of what is coming in. However it is
possible to reasonably sure that anything that would exceed the maximum size
of a URL would not be valid anyway.

--
Anthony Jones - MVP ASP/ASP.NET