views:

1197

answers:

4

I have a folder in my web server used for the users to upload photos using an ASP page.

Is it safe enough to give IUSR write permissions to the folder? Must I secure something else? I am afraid of hackers bypassing the ASP page and uploading content directly to the folder.

I'm using ASP classic and IIS6 on Windows 2003 Server. The upload is through HTTP, not FTP.

Edit: Changing the question for clarity and changing my answers as comments.

+1  A: 

How will the user upload the photos? If you are writing an ASP page to accept the uploaded files then only the user that IIS runs as will need write permission to the folder, since IIS will be doing the file I/O. Your ASP page should check the file size and have some form of authentication to prevent hackers from filling your hard drive.

If you are setting up an FTP server or some other file transfer method, then the answer will be specific to the method you choose.

Ben Williams
yes, I'm using an ASP page to do the upload, but...It is safe to give IUSR write permission to the folder? If a hacker try to post to same folder, IIS will be involved too.
Eduardo Molteni
it's probably the most convenient method. Another solution would be to connect back to the server itself and re-upload the uploaded file via FTP for example, but the security benefit for the trouble is not really worth it.
pilif
A: 

You'll have to grant write permissions, but you can check the file's mime type to ensure an image. You can use FSO as so:

set fs=Server.CreateObject("Scripting.FileSystemObject")
set f=fs.GetFile("upload.jpg")
'image mime types or image/jpeg or image/gif, so just check to see if "image" is instr
if instr(f.type, "image") = 0 then
   f.delete
end if
set f=nothing
set fs=nothing

Also, most upload COM objects have a type property that you could check against before writing the file.

chrisofspades
You are getting it wrong. I'm asking about hackers bypassing the ASP page.
Eduardo Molteni
You also cannot guarantee that the MIME type is correct since this is passed by the browser (as I recall). One should open the image via something like ImageMagik and check that the dimensions can be read properly.
nlucaroni
+1  A: 

also, I would recommend not to let the users upload into a folder that's accessible from the web. Even the best MIME type detection may fail and you absolutely don't want users to upload, say, an executable disguised as a jpeg in a case where your MIME sniffing fails, but the one in IIS works correctly.

In the PHP world it's even worse, because an attacker could upload a malicious PHP script and later access it via the webserver.

Always, always store the uploaded files in a directory somewhere outside the document root and access them via some accessing-script which does additional sanitizing (and at least explicitly sets a image/whatever MIME type.

pilif
I'm accepting the answer but I'm still not sure if it is a really must having the file in a directory outside the document root. It will add some performance problems I think.
Eduardo Molteni
if you watch for correctly working caching, the performance problems will be negligible. I've answered how to do this in another question here: http://beta.stackoverflow.com/questions/48555/best-way-to-compress-html-css-js-with-moddeflate-and-modgzip-disabled#48761
pilif
A: 

Your best bang for the buck would probably be to use an upload component (I've used ASPUpload) that allows you to upload/download files from a folder that isn't accessible from the website.

You'll get some authentication hooks and won't have to worry about someone casually browsing the folder and downloading the files (or uploading in your case), since the files are only available through the component.