0

I have a c#.net application that allows users to upload documents. The documents are then scanned for malware and saved. These documents are saved in a share file and in an uploads folder. The share file is on the intranet on a separate server. The uploads folder sits in the same directory as the application, but is not part of the application. The host server is running iis 7 with directory listing off.

The issue is that if an outside user is able to guess the naming convention and the file name, they can type that into a browser and view the document.

The application runs under a user account. We have tried setting the permissions on the uploads folder to only allow the applications user account access, which did not work.

I also tried adding a web config to the folder:

<?xml version="1.0"?>
<configuration>
    <system.web>
      <authorization>
        <allow users="application_user_account" />
        <deny users="?" />
      </authorization>
    </system.web>
</configuration>

This did not work when placed inside the uploads folder, but when it was accidentally placed in a folder one level up, the server denied all users access to all the applications hosted in the environment.

Does anyone have a solution for preventing direct access to the uploads folder in this scenario?

rogerdeuce
  • 1,471
  • 6
  • 31
  • 48

2 Answers2

1

You may want to checkout the <location> node: Click Here

   <location path="Logon.aspx">
     <system.web>
       <authorization>
        <allow users="?"/>
       </authorization>
    </system.web>
  </location>

This seems to be a duplicate of: How to restrict folder access in asp.net

Community
  • 1
  • 1
Grady G Cooper
  • 1,044
  • 8
  • 19
1

Move the uploads folder into App_Data.

e.g. ~/App_Data/Uploads

App_Data is a special folder that cannot be read from the web.

Any attempt at navigating to example.com/App_Data/Uploads/Foo.docx will result in an authorisation error. e.g. An HTTP 403 Forbidden HTTP response..

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • I have been trying to implement this solution today. I found this article about using the App_Data folder: http://www.codeproject.com/Articles/31557/A-Beginner-s-Guide-to-ASP-NET-Application-Folders#h Do I need to set up a database file that goes into the App_Data folder, which I can then insert files into? Initially I was getting access denied errors, but after adjusting the path I was able to go through the application without throwing errors, however the files are not landing in my App_Data folder, and there is not an App_Data folder being created on the server containing these files. – rogerdeuce May 08 '15 at 21:10