ASP.NET Uploading Security Issue?

[chuckdfoster]

I am developing an ASP.NET site where an site administrator can upload files
via ASP.NET into a Documents folder. These documents are then viewed by
site users. I used the MS KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;323245 to learn how
to do this.

Is there a security issue with this. If you are giving the ASPNET account
Read & Execute, List Folder Contents, Read, and Write permissions, then
could they not upload a script and then surf to the location of that script
to execute it?

Thanks for your knowledge in advance

 

[Kevin Spencer]

Is there a security issue with this. If you are giving the ASPNET account

Read & Execute, List Folder Contents, Read, and Write permissions, then
could they not upload a script and then surf to the location of that
script
to execute it?

Excellent question, Chuck. Assuming that you have the proper security to
prevent any unauthorized users from doing such a thing, such as requiring a
Windows logon to access the site (disallow anonymous access), you shouldn't
have a problem there. HOWEVER, you may have another issue. When I was in the
military, picking beans in Guatemala (just kidding about Guatmela - that's
from The Usual Suspects), we often had issues with Word documents emailed
from one officer to another. Seems one officer would pick up a virus on
their machine, the virus would propogate to their Word docs, and they would
then ignorantly email the docs to one another. You should have some sort of
virus protection in the loop somewhere to prevent this sort of thing.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[WJ]

Is there a security issue with this. If you are giving the ASPNET account
Read & Execute, List Folder Contents, Read, and Write permissions, then
could they not upload a script and then surf to the location of that
script
to execute it?

It depends on what type of file your site accepts: Generally, at the time of
upload, a file extension (.exe, .vbs, .com, .bat, .cmd and so on) can be
checked to prevent being executed. By giving "Execute" privilege to any
IIS-Account such as ASPNET, yes, you introduce risk to your site.

To prevent data from being stolen, one secure way is to store the files
inside an RDBMS such as MS/SQL Server or Oracle, again, depend on how
sensitive your files are to your company and your custommers. You must also
be aware that loose files cannot be protected by Asp.Net application.

John

 

[chuckdfoster]

Thanks for your help. The part of the site where a user can upload uses
Windows Authentication. The part where users get these files needs
anonymous access so all hospital employees can get to them. Other than
viruses do you see a risk with this? Is there anyway someone could get a
file into the folder without using my upload page (windows restricted)?

Thanks again,
Chuck Foster

 

[chuckdfoster]

Thanks for your help. How do you specify the types of files that can be
uploaded?

Thanks,
Chuck Foster

 

[WJ]

Thanks for your help. How do you specify the types of files that can be
uploaded?

I never do this in Web. But in Windows Form, there is a FileDialog control.
There may be some 3rd party that provide this type of web control which I am
not aware of. However, in Web form, you can still inspect the HtmlInputFile
control by doing these:

//***********************************
HttpPostedFile hpf=HtmlInputFile.PostedFile;
string fn=System.IO.Path.GetFileName(hpf.FileName);
if(fn.ToLower().EndWith(".exe"))
{
Throw error. Do not allow EXE file....
}

//***********************************

John

 

[bradbury9]

I am developing an ASP.NET site where an site administrator can upload files
via ASP.NET into a Documents folder. These documents are then viewed by
site users. I used the MS KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;323245 to learn how
to do this.

Is there a security issue with this. If you are giving the ASPNET account
Read & Execute, List Folder Contents, Read, and Write permissions, then
could they not upload a script and then surf to the location of that script
to execute it?

Thanks for your knowledge in advance

This is what I would do in that situation:

1.- Modify the code in
http://support.microsoft.com/default.aspx?scid=kb;en-us;323245 in
order to check the ContentType of posted file before writting it to
disk. Could be something similar to this. The code could be wrong as
far as I can not test it.

2.- Check the web site for other upload pages so no other upload page
can upload files to that folder.

Private Funcion checkContentAllowed(ByVal content as string) as
Boolean
Select case content.ToLower()
Case "text/plain"
checkContentAllowed = True
Case "other allowed type"
checkContentAllowed = True
Case Else
checkContentAllowed = False
End Select
End Function

.........
If checkContentAllowed(File1.PostedFile.ContentType) = True Then
File1.PostedFile.SaveAs("savedFile.txt") ' <-- Or the original
filename ;-)
Else
Response.Write("What the hell are you uploading?????")
End If
..........

 

[bradbury9]

I never do this in Web. But in Windows Form, there is a FileDialog control.
There may be some 3rd party that provide this type of web control which I am
not aware of. However, in Web form, you can still inspect the HtmlInputFile
control by doing these:

//***********************************
HttpPostedFile hpf=HtmlInputFile.PostedFile;
string fn=System.IO.Path.GetFileName(hpf.FileName);
if(fn.ToLower().EndWith(".exe"))
{
Throw error. Do not allow EXE file....
}

//***********************************

John

Please, check the PostedFile.ContentType instead of the filename. That
is not a good choice. AFAIK a .exe renamed could be uploaded as a .txt
for example. The asp_net proccess check the content type to show data
to the user. The malicious .txt would be executed.

Correct me if I am wrong.

bradbury9