3

I've had this question for many years, and did research every time that this issue arose, but could never find a definite answer. Somehow the mighty Internet, MSDN, community forums, are either silent or vague on this. Out of thousands of development-related uncertainties, this is the only one that remained elusive.

To the point: in order to enable users to upload and manage images (and other files) used in their blog posts, in a shared hosting environment, I can either consider SQL Server binary data types (performance implications), or the file system. To use the latter, the necessary permissions need to be set for the IIS_IUSRS role on the storage directory : create/write, read and delete. My question - if I do this, what are the security implications? Could someone somehow take advantage of this, bypass the ASP.NET request pipeline and manipulate the files inside the folder without making a request to the corresponding ASP.NET handler (which checks rights, validates uploads, etc.)?

I've developed several systems that allowed file uploads and this has always bothered me. Now, hopefully, someone will be able to put my mind at ease and, ideally, explain the mechanics behind the process.

UPDATE

After viewing the latest answers (many thanks), another formulation of the question:

Is it in any way possible for a client to somehow bypass the request pipeline and create/delete files inside a directory that allows it (assuming the person knows the directory structure)? Or only the code that handles the request can do it? Any potential exploits?

constantine g
  • 169
  • 5

2 Answers2

1

The main problem is to been able to upload a script, an aspx page, in this directory with the photo files, and runs it.

Here is one case: I've been hacked. Evil aspx file uploaded called AspxSpy. They're still trying. Help me trap them‼

The solution to that is to add this extra web.config file on the directories that allow to upload files and not permit to run any aspx page. Also double check to allow only extensions that you permit and not allow to change that on the file name, if they have the opportunity to make rename.

<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

Also on the directories that you allow to upload files, do not permit to run any other script like simple asp, or php or exe, or anything.

general speaking

All your pages have permissions to run and manipulate many things on the server. What you give now is the ability of write on some directories, also by using some aspx page. The asp.net now have one more extra permission to write files there, on the photo folder. Also note here, that you asp.net page have this control, not the user. What you do there with your code can write on this directories, so must be carefuller there to double check where you write and not allow any other directories, not allow the user to manipulate the directory that can be written to.

So this is the weak link. To been able to upload more script that can take control of the server, at least the part that can be access by the asp.net user of this pool.

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150
  • Yes, very good points there. Thanks for the link. Didn't think about using web.config for disallowing aspx execution in sub-folders. So it could be placed in a sub-directory one level above the one with write permissions as an extra precaution in addition to not using original file names/extensions. – constantine g Nov 01 '12 at 10:53
  • So what you're saying is that it's not in any way possible for a client to bypass the request pipeline and create/delete files inside a directory that allows it (assuming the person knows the directory structure)? Only the code that handles the request can do it? Any potential exploits? That's the essence of my question. – constantine g Nov 01 '12 at 11:41
  • @constantineg The asp.net used did not have permission for write on directories, only permission to read and run. Actually there are two accounts that work together for the asp.net to run. The user, and the pool. Both of them have limited permissions, but if you allow to write on a directory, then there can create code to run and do more - open permissions etc... so there is the point to focus, to not allow to upload any script. – Aristos Nov 01 '12 at 11:55
1

Having done this before, I'd make two recommendations:

First, do not store the uploaded files in the same directory structure as your application code (if possible). Make it a well-defined external location, and locked down explicitly to only the user the application is running as. This makes it harder for a malicious upload to be injected into your application as nothing in the web server, or ASP.NET itself, knows how to access the file (only your application).

If that is absolutely not possible to do so, be sure to make sure no external user can access the storage folder using standard ASP.NET authorization and only allow writes by your application user to this folder, nothing else.

Second, do not store the uploaded files with their original names and file extensions; Keep that meta-data separate. Just consider the file a raw binary blob of data. This is good for a couple reasons. First, it prevents inadvertent execution of the file on the server, be it by someone accessing the file system directly, the web server, or ASP.NET. Second, it makes it much more difficult for an attacker to exploit a malicious upload as they should never be able to guess the name, or path, of the file on the server.

Mara Morton
  • 4,429
  • 1
  • 21
  • 12
  • Thanks Michael! Valuable thoughts there. Since the website is being developed for shared hosting at the moment, having an external location is not possible, unless it's a third party service (e.g. dropbox or similar). But that could be worth looking into. I didn't quite understand the second point, but maybe because it's almost 12 am here :). – constantine g Nov 01 '12 at 10:31
  • The last point is especially important. This makes me think along these lines: use URL rewriting to hide the real image/directory path, and like you said, rename the file (e.g. some form of unique ID). Also, an excellent suggestion here on SO was to always resize uploaded images to ensure they're really images (any malicious content may also become corrupt in the process). – constantine g Nov 01 '12 at 10:42