Securing the upload function on your web site

Discussion in 'Classic ASP' started by Bruce, Oct 13, 2006.

Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.
  1. Bruce

    Bruce DiscountASP.NET Staff

    Many of you have upload capability on your web site to allow your users to upload files (Graphics, documents, etc.).

    Recently, we have seen many sites exploited through the application's upload feature. Typically, this is how the hackers get through:

    1) Search the Internet for commonly used file names for upload pages, such as Upload.htm, upload.asp, etc.

    2) Once the page is located, they will attempt to upload scripts that can be executed from the browser. They can do quite a bit once they get the script on to your site: create a script to deface your site, parse the source or config file for database connection information, download your Access database file, etc.

    You can close this type of security hole by making simple changes to your application to only allow a user to upload non-executable files.

    I created some sample code snippets to get you started:

    For ASP Script using ASPUpload Component
    </o:p>

    </o:p>
    <%</o:p>
    Set Upload = Server.CreateObject("Persits.Upload")
    upload.savevirtual ("/uploadDir")

    ' Check each file's extension. If it has an invalid extension, delete it.
    For Each File in Upload.Files
    if Not isExtensionValid(File.FileName) Then
    File.Delete
    Response.write "Invalid File Extension : " &amp; File.FileName
    End If
    Next</o:p>
    Function isExtensionValid(filename)</o:p>
    ' Get the Extension of the File
    arrTemp = split(filename,".")
    extension = arrTemp(Ubound(arrTemp))
    Select Case extension
    ' This is the list of valid extensions
    case "gif","jpg","jpeg","png","htm","doc", "pdf"
    isExtensionValid = true
    case else
    isExtensionValid = false
    </o:p> End Select</o:p>
    </o:p>
    </o:p>
    End Function</o:p>
    </o:p>
    %>
    For ASP.NET Script:</o:p>
    <%@ Page Language="vb" %>
    <html>
    <Script Language="VB" RunAt="Server">
    Sub Upload_Click(ByVal Sender As Object, ByVal e As EventArgs)

    ' Display properties of the uploaded file

    Dim strFileName As String
    strFileName = System.IO.Path.GetFileName(MyFile.PostedFile.FileName)

    If Not isExtensionValid(strFileName) Then
    lblResult.Text = "Invalid Extension"
    Exit Sub
    End If

    MyFile.PostedFile.SaveAs(Server.MapPath("\uploaddir\" &amp; strFileName))
    lblResult.text = "File uploaded"</o:p>
    End Sub</o:p>

    Function isExtensionValid(ByVal filename)</o:p>
    ' Get the Extension of the File
    Dim arrTemp As String() = Split(filename, ".")
    Dim extension As String = arrTemp(UBound(arrTemp))

    Select Case extension
    ' This is the list of valid extensions
    Case "gif", "jpg", "jpeg", "png", "htm", "doc", "pdf"
    Return True
    Case Else
    Return False
    End Select

    End Function

    </Script>


    <Font Size=5> Uploading Securely In ASP.Net
    </Font>
    <HR Size="2" Color=Black >
    <P>

    <Form Method="Post" EncType="Multipart/Form-Data" RunAt="Server">
    Select File To Upload :
    <Input ID="MyFile" Type="File" RunAt="Server" Size="40">

    <Input Type="Submit" Value="Upload" OnServerclick="Upload_Click" RunAt="Server">
    <P>
    <asp:label id="lblResult" runat="server"> </asp:label>

    </Form>

    </Body>
    </html>
    </o:p>

    Bruce

    DiscountASP.NET
    www.DiscountASP.NET
     
    Bruce, Oct 13, 2006
    #1
  2. vvsharma

    vvsharma

    Check for the File Type i.e something like

    <%
    if(isValidFile(Request.form("Form1")) Then

    Set Upload = Server.CreateObject("Persits.Upload")
    count = upload.savevirtual ("/aspupload")
    Response.Write Count &amp; " file(s) uploaded"

    End If

    Function isValidFile(filename)
    fileExtension = lcase(right(filename,4))
    select case fileExtension
    case ".gif",".jpg",".png","jpeg" 'Include CGI script file extensions in the list, such as .php
    isValidFile = TRUE
    case else
    isValidFile = FALSE
    end select
    End Function

    %>

    Vikram

    DiscountASP.NET
    www.DiscountASP.NET
     
    vvsharma, Oct 24, 2006
    #2
  3. ch99

    ch99

    I'm trying to implement some sort of upload script from my ASP pages, I'm wondering what more I need to do aside from this, as the documentation doesnt seem clear to me:



    <HTML>

    <%
    Set Upload = Server.CreateObject("Persits.Upload")
    count = upload.savevirtual ("/aspupload")
    Response.Write Count &amp; " file(s) uploaded"
    %>
    </BODY>
    </HTML>





    Form Upload Page


    <html>
    <head>
    </head>

    <form action="aspupload1.asp" method="post" enctype="multipart/form-data">
    <input type="file" size="40" name="FILE1" />

    <input type="submit" value="Upload!" />
    </form>
    </body>
    </html>
    thanks
    ch99
     
    ch99, Oct 24, 2006
    #3
  4. gbourque

    gbourque

    Bruce

    I am new to DASP. I am still learning ASP.NET. But I do enjoy your slick tricks that you post. They are a great source of learning. It sure does bring customer service to higher level.

    Thanks
    Jerry
     
    gbourque, Nov 10, 2006
    #4
  5. Bruce

    Bruce DiscountASP.NET Staff

    hey jerry,


    sorry for the late response; i was away for the last wk.


    thanks for the compliment!!


    Bruce

    DiscountASP.NET
    www.DiscountASP.NET
     
    Bruce, Nov 16, 2006
    #5
Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.

Share This Page