Many of you have upload capability on your web site to allow your users to upload files (Graphics, documents, etc.). Recently, we have seen many sites exploited through the application's upload feature. Typically, this is how the hackers get through: 1) Search the Internet for commonly used file names for upload pages, such as Upload.htm, upload.asp, etc. 2) Once the page is located, they will attempt to upload scripts that can be executed from the browser. They can do quite a bit once they get the script on to your site: create a script to deface your site, parse the source or config file for database connection information, download your Access database file, etc. You can close this type of security hole by making simple changes to your application to only allow a user to upload non-executable files. I created some sample code snippets to get you started: For ASP Script using ASPUpload Component </o> </o> <%</o> Set Upload = Server.CreateObject("Persits.Upload") upload.savevirtual ("/uploadDir") ' Check each file's extension. If it has an invalid extension, delete it. For Each File in Upload.Files if Not isExtensionValid(File.FileName) Then File.Delete Response.write "Invalid File Extension : " & File.FileName End If Next</o> Function isExtensionValid(filename)</o> ' Get the Extension of the File arrTemp = split(filename,".") extension = arrTemp(Ubound(arrTemp)) Select Case extension ' This is the list of valid extensions case "gif","jpg","jpeg","png","htm","doc", "pdf" isExtensionValid = true case else isExtensionValid = false </o> End Select</o> </o> </o> End Function</o> </o> %> For ASP.NET Script:</o> <%@ Page Language="vb" %> <html> <Script Language="VB" RunAt="Server"> Sub Upload_Click(ByVal Sender As Object, ByVal e As EventArgs) ' Display properties of the uploaded file Dim strFileName As String strFileName = System.IO.Path.GetFileName(MyFile.PostedFile.FileName) If Not isExtensionValid(strFileName) Then lblResult.Text = "Invalid Extension" Exit Sub End If MyFile.PostedFile.SaveAs(Server.MapPath("\uploaddir\" & strFileName)) lblResult.text = "File uploaded"</o> End Sub</o> Function isExtensionValid(ByVal filename)</o> ' Get the Extension of the File Dim arrTemp As String() = Split(filename, ".") Dim extension As String = arrTemp(UBound(arrTemp)) Select Case extension ' This is the list of valid extensions Case "gif", "jpg", "jpeg", "png", "htm", "doc", "pdf" Return True Case Else Return False End Select End Function </Script> <Font Size=5> Uploading Securely In ASP.Net </Font> <HR Size="2" Color=Black > <P> <Form Method="Post" EncType="Multipart/Form-Data" RunAt="Server"> Select File To Upload : <Input ID="MyFile" Type="File" RunAt="Server" Size="40"> <Input Type="Submit" Value="Upload" OnServerclick="Upload_Click" RunAt="Server"> <P> <asp:label id="lblResult" runat="server"> </asp:label> </Form> </Body> </html> </o> Bruce DiscountASP.NET www.DiscountASP.NET
Many many thanks for the example code. May I ask a question: Is there any readily available sample code on how to use the IPWorks webupload component Using form authentication on a protected page...I would like to be able to upload a 100mb file of a particular extension(pdf), then download it later and delete same day. I really need the UploadProgress event to be able to somehow display status and not strain the server. -jh
There shouldnt be any constraints from control point of view unless you programmatically manage the file upload.I have used the control and upload various file formats.BTW whats the problem you are facing? Vikram DiscountASP.NET www.DiscountASP.NET
Have you used the fileupload control in asp.net 2.0? I'm having problems uploading files to my website (works fine on my localhost) but won't allow word docs, graphics etc only text files on the website? Is there any reason for this?
Well have now fixed my problem but thought i'd share my results. Problem fileupload control in asp.net 2.0 wouldn't upload files of type (.doc, .xls, (.gif, .png, .jpg over 1kb)) would display an redirected page syaing connection to server lost. Also, noticed I couldn't attach documents to hotmail, would just freeze on upload. Solution (or part solution) we had a firewall on our office connection which had a setting Drop non-http connection on TCP port 80 (enabled) disabling that feature and everything worked how it should. But by doing this, is it a security issue now? </o>
If you able to upload files w/ some extensions,I believe its some kind of a rule in your firewall which blocks the file upload having those extensions/sizes.I would suggest to look into it before you decide to open any non http connections. Vikram DiscountASP.NET www.DiscountASP.NET