Securing the upload function on your web site

Discussion in 'ASP.NET 2.0' started by Bruce, Oct 13, 2006.

  1. Bruce

    Bruce DiscountASP.NET Staff

    Many of you have upload capability on your web site to allow your users to upload files (Graphics, documents, etc.).

    Recently, we have seen many sites exploited through the application's upload feature. Typically, this is how the hackers get through:

    1) Search the Internet for commonly used file names for upload pages, such as Upload.htm, upload.asp, etc.

    2) Once the page is located, they will attempt to upload scripts that can be executed from the browser. They can do quite a bit once they get the script on to your site: create a script to deface your site, parse the source or config file for database connection information, download your Access database file, etc.

    You can close this type of security hole by making simple changes to your application to only allow a user to upload non-executable files.

    I created some sample code snippets to get you started:

    For ASP Script using ASPUpload Component
    </o:p>

    </o:p>
    <%</o:p>
    Set Upload = Server.CreateObject("Persits.Upload")
    upload.savevirtual ("/uploadDir")

    ' Check each file's extension. If it has an invalid extension, delete it.
    For Each File in Upload.Files
    if Not isExtensionValid(File.FileName) Then
    File.Delete
    Response.write "Invalid File Extension : " &amp; File.FileName
    End If
    Next</o:p>
    Function isExtensionValid(filename)</o:p>
    ' Get the Extension of the File
    arrTemp = split(filename,".")
    extension = arrTemp(Ubound(arrTemp))
    Select Case extension
    ' This is the list of valid extensions
    case "gif","jpg","jpeg","png","htm","doc", "pdf"
    isExtensionValid = true
    case else
    isExtensionValid = false
    </o:p> End Select</o:p>
    </o:p>
    </o:p>
    End Function</o:p>
    </o:p>
    %>
    For ASP.NET Script:</o:p>
    <%@ Page Language="vb" %>
    <html>
    <Script Language="VB" RunAt="Server">
    Sub Upload_Click(ByVal Sender As Object, ByVal e As EventArgs)

    ' Display properties of the uploaded file

    Dim strFileName As String
    strFileName = System.IO.Path.GetFileName(MyFile.PostedFile.FileName)

    If Not isExtensionValid(strFileName) Then
    lblResult.Text = "Invalid Extension"
    Exit Sub
    End If

    MyFile.PostedFile.SaveAs(Server.MapPath("\uploaddir\" &amp; strFileName))
    lblResult.text = "File uploaded"</o:p>
    End Sub</o:p>

    Function isExtensionValid(ByVal filename)</o:p>
    ' Get the Extension of the File
    Dim arrTemp As String() = Split(filename, ".")
    Dim extension As String = arrTemp(UBound(arrTemp))

    Select Case extension
    ' This is the list of valid extensions
    Case "gif", "jpg", "jpeg", "png", "htm", "doc", "pdf"
    Return True
    Case Else
    Return False
    End Select

    End Function

    </Script>


    <Font Size=5> Uploading Securely In ASP.Net
    </Font>
    <HR Size="2" Color=Black >
    <P>

    <Form Method="Post" EncType="Multipart/Form-Data" RunAt="Server">
    Select File To Upload :
    <Input ID="MyFile" Type="File" RunAt="Server" Size="40">

    <Input Type="Submit" Value="Upload" OnServerclick="Upload_Click" RunAt="Server">
    <P>
    <asp:label id="lblResult" runat="server"> </asp:label>

    </Form>

    </Body>
    </html>
    </o:p>

    Bruce

    DiscountASP.NET
    www.DiscountASP.NET
     
  2. Many many thanks for the example code.

    May I ask a question:
    Is there any readily available sample code on how to use the IPWorks webupload component

    Using form authentication on a protected page...I would like to be able to upload a 100mb file of a particular extension(pdf), then download it later and delete same day. I really need the UploadProgress event to be able to somehow display status and not strain the server.

    -jh
     
  3. Bruce

    Bruce DiscountASP.NET Staff

  4. There shouldnt be any constraints from control point of view unless you programmatically manage the file upload.I have used the control and upload various file formats.BTW whats the problem you are facing?

    Vikram

    DiscountASP.NET
    www.DiscountASP.NET
     
  5. Have you used the fileupload control in asp.net 2.0?

    I'm having problems uploading files to my website (works fine on my localhost) but won't allow word docs, graphics etc only text files on the website? Is there any reason for this?
     
  6. Well have now fixed my problem but thought i'd share my results.


    Problem fileupload control in asp.net 2.0 wouldn't upload files of type (.doc, .xls, (.gif, .png, .jpg over 1kb)) would display an redirected page syaing connection to server lost.


    Also, noticed I couldn't attach documents to hotmail, would just freeze on upload.





    Solution (or part solution) we had a firewall on our office connection which had a setting
    Drop non-http connection on TCP port 80 (enabled)
    disabling that feature and everything worked how it should. But by doing this, is it a security issue now?
    </o:p>
     
  7. If you able to upload files w/ some extensions,I believe its some kind of a rule in your firewall which blocks the file upload having those extensions/sizes.I would suggest to look into it before you decide to open any non http connections.

    Vikram

    DiscountASP.NET
    www.DiscountASP.NET
     

Share This Page