Loading an ActiveX DLL is superslow

"Jaime Palli" <jp****@bigfoot.comwrote in message
news:%2******************@TK2MSFTNGP05.phx.gbl...

I have developed a Visual Basic 6.0 ActiveX DLL to help to interact with
some ASP pages.
I have copied the compiled DLL in C:\INETPUB\WWWROOT in my XP Pro machine.
After making some configuracion changes for solving the problems with the
message:

Server object error 'ASP 0178 : 80070005'
Server.CreateObject Access Error
The call to Server.CreateObject failed while checking permissions. Access

is

denied to this object.

Basically, the changes were:
1. In IIS configuration check "Anonimous access"., Application protection
in "Low", Execution permissions, "Commands and executables."
2. Use CACLS to give the user IUSR_<computernamefull access to
MSVBVM60.DLL

Now I see that when I call the ASP page that uses the ActiveX DLL, in
Internet Explorer 6, it lasts about 5 minutes before I get the results.
After this first time, the response time is as usual.

Why this first loading is so slow, and how can I correct it ?

Does the Sub Main do anything?
Does the DLL make DB connections?
--
Anthony Jones - MVP ASP/ASP.NET

After further investigation with SysInternal's filemon program, I have seen
that the problem was in the permissions of the user IUSR_<computernameover
some folder where a log file is written. Assigning permissions for this user
to the folder solved the problem.

I have some more questions about security:

Basically the system is composed of two components: a very simple .asp page
that serves as an interface to a Visual Basic 6.0 ActiveX dll.
The asp page does the following:

Set oWD = Server.CreateObject("AmWebDLL.clsWebDLL")
sData=oWD.GetData(Request.QueryString("action"),Re quest.QueryString("data"),Request.QueryString("par am"))
Response.Write sData

The dll reads and writes records to an Access database, located outside the
public web folders, and writes log information to a .txt file located in the
public web folder.
The folder where the database resides has other company internal programs
and databases.
As the IUSR_<computernamemust have read and write permissions over the
internal folder, my question is about to know if this is a security leakage.
Does this model expose the internal folder to outside users and hackers?

"Anthony Jones" <An*@yadayadayada.comescribió en el mensaje
news:%2***************@TK2MSFTNGP02.phx.gbl...

"Jaime Palli" <jp****@bigfoot.comwrote in message
news:%2******************@TK2MSFTNGP05.phx.gbl...

>I have developed a Visual Basic 6.0 ActiveX DLL to help to interact with
some ASP pages.
I have copied the compiled DLL in C:\INETPUB\WWWROOT in my XP Pro
machine.
After making some configuracion changes for solving the problems with the
message:

Server object error 'ASP 0178 : 80070005'
Server.CreateObject Access Error
The call to Server.CreateObject failed while checking permissions. Access

is

>denied to this object.

Basically, the changes were:
1. In IIS configuration check "Anonimous access"., Application
protection
in "Low", Execution permissions, "Commands and executables."
2. Use CACLS to give the user IUSR_<computernamefull access to
MSVBVM60.DLL

Now I see that when I call the ASP page that uses the ActiveX DLL, in
Internet Explorer 6, it lasts about 5 minutes before I get the results.
After this first time, the response time is as usual.

Why this first loading is so slow, and how can I correct it ?

Does the Sub Main do anything?
Does the DLL make DB connections?
--
Anthony Jones - MVP ASP/ASP.NET

"Jaime Palli" <jp****@bigfoot.comwrote in message
news:OU**************@TK2MSFTNGP05.phx.gbl...

After further investigation with SysInternal's filemon program, I have

seen

that the problem was in the permissions of the user IUSR_<computername>

over

some folder where a log file is written. Assigning permissions for this

user

to the folder solved the problem.

I have some more questions about security:

Basically the system is composed of two components: a very simple .asp

page

that serves as an interface to a Visual Basic 6.0 ActiveX dll.
The asp page does the following:

Set oWD = Server.CreateObject("AmWebDLL.clsWebDLL")

sData=oWD.GetData(Request.QueryString("action"),Re quest.QueryString("data"),
Request.QueryString("param"))

Response.Write sData

The dll reads and writes records to an Access database, located outside

the

public web folders, and writes log information to a .txt file located in

the

public web folder.
The folder where the database resides has other company internal programs
and databases.
As the IUSR_<computernamemust have read and write permissions over the
internal folder, my question is about to know if this is a security

leakage.

Does this model expose the internal folder to outside users and hackers?

Unless the folder where the database resides is placed in somewhere that can
be accessed via a URL then a hacker can't simply form a URL to fetch it.

However you should be careful about how you create SQL code by using
parameterised queries and not concatenating any values received from the
client into a SQL string.

BTW how big might the content of the querystring values become?

--
Anthony Jones - MVP ASP/ASP.NET

This is the main reason I have tought in using the dll, controlling
parameters.
As far as I can, I try to control what information is coming in the
parameters, and reject anything else.
The parameters that come to the dll from the client are simple, they are not
SQL queries, and they are not appended to internal dll SQL queries.
Therefore I can control the maximum length of what is coming.
Thanks

"Anthony Jones" <An*@yadayadayada.comescribió en el mensaje
news:%2****************@TK2MSFTNGP04.phx.gbl...

"Jaime Palli" <jp****@bigfoot.comwrote in message
news:OU**************@TK2MSFTNGP05.phx.gbl...

>After further investigation with SysInternal's filemon program, I have

seen

>that the problem was in the permissions of the user IUSR_<computername>

over

>some folder where a log file is written. Assigning permissions for this

user

>to the folder solved the problem.

I have some more questions about security:

Basically the system is composed of two components: a very simple .asp

page

>that serves as an interface to a Visual Basic 6.0 ActiveX dll.
The asp page does the following:

Set oWD = Server.CreateObject("AmWebDLL.clsWebDLL")

sData=oWD.GetData(Request.QueryString("action"),Re quest.QueryString("data"),
Request.QueryString("param"))

>Response.Write sData

The dll reads and writes records to an Access database, located outside

the

>public web folders, and writes log information to a .txt file located in

the

>public web folder.
The folder where the database resides has other company internal programs
and databases.
As the IUSR_<computernamemust have read and write permissions over the
internal folder, my question is about to know if this is a security

leakage.

>Does this model expose the internal folder to outside users and hackers?

Unless the folder where the database resides is placed in somewhere that
can
be accessed via a URL then a hacker can't simply form a URL to fetch it.

However you should be careful about how you create SQL code by using
parameterised queries and not concatenating any values received from the
client into a SQL string.

BTW how big might the content of the querystring values become?

--
Anthony Jones - MVP ASP/ASP.NET

"Jaime Palli" <jp****@bigfoot.comwrote in message
news:Ol****************@TK2MSFTNGP05.phx.gbl...

This is the main reason I have tought in using the dll, controlling
parameters.
As far as I can, I try to control what information is coming in the
parameters, and reject anything else.
The parameters that come to the dll from the client are simple, they are

not

SQL queries, and they are not appended to internal dll SQL queries.

Thats good.

Therefore I can control the maximum length of what is coming.

You can't control the maximum length of what is coming in. However it is
possible to reasonably sure that anything that would exceed the maximum size
of a URL would not be valid anyway.

--
Anthony Jones - MVP ASP/ASP.NET