7

I'm working on photo album functionality for my .net MVC 5 site and I recently ran into an issue where by default .net limits file uploads to 4 MB.

Not wanting to ever encounter this error again, I am tempted to set it to something large like 1 GB. But this seems like it might be a bad idea. I have 3 questions:

  1. What security holes do I open up if I set the file upload max length to 1 GB?

  2. Someone recommended that I increase the file upload length only for uploads to a specific directory. Is this actually any more secure?

  3. In .net, the config files are not specific if I am limiting the length of POSTs, GETs, or all requests. I assume that this restriction applies to all requests?

Community
  • 1
  • 1
John Shedletsky
  • 7,110
  • 12
  • 38
  • 63

2 Answers2

4

What security holes do I open up if I set the file upload max length to 1 GB?

It'd be easier for a resource consuming DoS attack to succeed. 1GB may be high, but this may be an acceptable risk to you if you need to accept files that large. This setting depends on what resources your server has (particularly memory and disk size) and the requirements of your application.

Yes, a malicious user could post many small files rather than one massive file - but these individual requests will be queued up along with the legitimate requests to your server. Chances are that the server will have finished processing a malicious one before a legitimate one. For example, a malicious user uploading 1GB might block a thread while that file is processed, whereas the load caused by 1000 one megabyte files can be spread out within the application's processing.

Another attack is a DDoS attack which can be thought of as many DoS attacks at once. Increasing the maximum length allowed of a single request could mean that a DDoS attack succeeds whereas a normal DoS attack doesn't because a single user only has a limited amount of available bandwidth. That is, you're making it easier for lots of users to post big files whereas before the amount of damage per user was limited by single file size.

Someone recommended that I increase the file upload length only for uploads to a specific directory. Is this actually any more secure?

If only a limited set of users has access to the page that has large file uploads allowed then this will limit any attack.

This should work because AuthorizeRequest is called before ProcessRequest where the HttpRuntime settings are applied.

In .net, the config files are not specific if I am limiting the length of POSTs, GETs, or all requests. I assume that this restriction applies to all requests?

Yes, this applies to all requests. If you're willing to accept a large request size on a POST then there is no additional risk of allowing this on a GET. The only advantage would be on an Intrusion Detection System (IDS) application level because it would be able to log a large GET request as suspicious activity.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
0

you run your software on limited hardware yet you want to offer unlimited resources to your users? you may have not enough ram or disk space. bigger task will take more time so your thread will be unavailable longer. that may affect responsiveness. it will be easier to DDOS the application. displaying such a large photo will also affect responsiveness, use your customers ram, crash their browser so they may never come back to your site again... and probably many many more i can't think of right now

piotrek
  • 13,982
  • 13
  • 79
  • 165
  • I accept that this is the conventional wisdom, however it seems like the ability to attack a site through a long upload is limited by available bandwidth, and so, in some sense, is harder to do than just bombarding a server with short requests, where the bottleneck is the number of concurrent requests the server can handle. – John Shedletsky Jan 23 '15 at 19:43