If it's possible which I think so, How do I modify my web.config to make a sub directory static -- files inside will only processed as static file, even if its name is "aspx" or something else? Thanks.
Asked
Active
Viewed 4.1k times
27
-
Why don't you block `.as?x` uploads? – SLaks Jan 14 '10 at 02:10
-
1because there could be a lot more than .as?x, such as .php, .asp, and so on. – deerchao Jan 14 '10 at 03:42
1 Answers
56
Add the following to a web.config file in the folder containing the files you wish to be served only as static content:
<configuration>
<system.webServer>
<handlers>
<clear />
<add
name="StaticFile"
path="*" verb="*"
modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule"
resourceType="Either"
requireAccess="Read" />
</handlers>
<staticContent>
<mimeMap fileExtension=".*" mimeType="application/octet-stream" />
</staticContent>
</system.webServer>
</configuration>
Kev
- 118,037
- 53
- 300
- 385
-
Tested ok on IIS and IIS Express, though it does not work on VS integrated Web Server. – deerchao Sep 05 '11 at 09:58
-
1@deerchao - no it won't because the integrated "cassini" server doesn't support `
`. – Kev Sep 05 '11 at 10:19 -
1That works until someone uploads a new web.config into your open uploads folder and redefines all handlers. See my [answer here](https://webmasters.stackexchange.com/a/123099/86063) . See [this link](http://spidersec.ninja/rce-on-iis-webserver-via-web-config/) for exploit example. – drizin May 28 '19 at 02:08
-
@drizin - Sure....but not everyone has access to the root web.config. If someone not trusted by your org is able to upload random stuff to your site then it's pretty much game over anyway. – Kev May 28 '19 at 03:02
-
1I received a 403.3 because of insufficient permissions. Within the `
` tag, I added ` – Wouter Vanherck Aug 28 '20 at 07:53` instead of ` ` and changed the `requireAccess` property value from `Write` to `Read`. -
1