Unrestricted File upload issue

Question

I have been tasked with adding security to an application after it failed an audit. one of the issues are unrestricted file uploads.

I have set the allowed file types in the JavaScript and it correctly dis-allows the user to upload file types of .exe,

 $('#up_ItemImg').fineUploader({
    button: $('#up_ItemImg'),
    uploaderType: 'basic',
    request: {
        endpoint: '/Admin/_customer/CustomerWS.ashx?method=SaveImage&customerID=' + customerID
    },
    validation: {
        allowedExtensions: ['jpeg', 'jpg', 'png', 'bmp', 'gif', 'tiff'],
        sizeLimit: 5242880 // 5 MB = 1024 * 1024 * 5 bytes
    },
}).on('complete', function (event, id, fileName, responseJSON) {
    if (responseJSON.success) {

        $("#imgCustomerLogo").attr("src", responseJSON.data);
    }
}).on('error', function (id, name, errorReason, errorReason2) {
    if (errorReason2 == 'Upload failure reason unknown') {
        return;
    }
    if (errorReason2.indexOf('XHR returned response code') == 0) {
        return;
    }
    alert(errorReason2);
});

problem comes in, if you use something like fiddler and modify that request, changing the .jpg to .exe and re-executing the request it succeeds.

I am a bit out of my depth here to be honest, How would I go about stopping something like that from happening?

You could add a check on the file exception on the backend controller before processing the file. — Tasos K., Oct 17 '18 at 07:48
Thanks, yeah after my initial confusion I got what you meant, thank you for pointing me in the right direction, it helped. — user7592671, Oct 17 '18 at 10:24
Possible duplicate of [how can we prevent .exe type file upload in a website?](https://stackoverflow.com/questions/2824496/how-can-we-prevent-exe-type-file-upload-in-a-website) — Tasos K., Oct 17 '18 at 13:16

Unrestricted File upload issue

0 Answers0