0

I have to create a utility through which user can able to upload singh or multiple files with the use of asp.net FileUpload Server control.

I am looking for Security concern for the same. What are the points need to keep in our minds which violate security. One main issue is in my mind is related to Viruses - means

  1. How to prompt user for viruses and terminate the upload operation
  2. How to scan files for viruses during upload operation

There may be several Security risks. Please discuss the issues/risks with proposed solutions.

Any reply for this most appreciable.

Thanks in advance

Gaurav Arora
  • 2,243
  • 6
  • 40
  • 57

2 Answers2

2

The risks all centre around the fact that naughty people will upload things that can execute on the web server machine and cause problems.

A pragmatic way of preventing issues relating to malicious file uploads is to restrict the file types your server will accept by checking the PostedFile.ContentType property. This identifies the MIME-type. Best to exclude things like .exe and then of course there are issues around macros and VBA automation in MS Office-generated files like .doc and .xls.

There's a 'how to' here: How to restrict file type in FileUpload control

Community
  • 1
  • 1
immutabl
  • 6,857
  • 13
  • 45
  • 76
0

Depend on my experience on developing file-Sharing systems checking file extensions is simple but not enough there was a bug in iis 6 that hackers could bypass this checks by adding a ";" to a part of filename and upload their shell-scripts as an image !

The best method is to save user uploaded files one folder upper the site root folder for example if your site folder is:

c:\hosting-space\myuser\mydomain.com\www-root\

your code have to save files to:

c:\hosting-space\myuser\mydomain.com\USERUPLOADs\

by this trick iis user can not have direct access to an uploaded virus or shell-script!

and use a .aspx file to read file stream indirectly.

<img src="/loadfiles.aspx?name=?????" />

the benefits are many for example you can write a stat-counter or check user session or avoid cross-site access to your user files how ever you will need some codding skills to add download resume support for hug files and should take care of script timeout and ...

and other solution that I didnt test by myself is to use web.congif to avoid run script permission from upload folder:

<location path="upload">
<system.webServer>
    <handlers accessPolicy="Read" />
</system.webServer></location>
Mehdi Saghari
  • 154
  • 1
  • 9