tags:

views:

387

answers:

6
+3  Q: 

Uploading photos - How can I keep our website safe/stable

My website would like users to upload their photos...but how do I keep our server safe from harm? Allowing only JPGs should avoid virus trouble, but what if someone selects a 10Gb file - will that slow the whole website down?

We're using Classic ASP and IIS6 (sorry, but that's how it is, can't change that!). Previously we have used a DLL from a company called Persits to handle uploads. However, it would be helpful to other people if we extend this discussion to other languages/technologies too.

ASPs cannot detect the size of a file until it has finished uploading, so thats a pain. Or can I check content-length in the HTTP header before I start the transfer?

Q1. Are there any other ways someone could abuse the upload facility?
Q2. How can I limit the danger to keep the site running and the server safe?

Thank you.

A: 

There is a great component that uses Flash to upload files. Check it out

http://www.codeproject.com/KB/aspnet/FlashUpload.aspx

Daniel  2009-04-24 16:06:47
A: 

This appears to enforce file upload size: http://www.aspupload.com/

I am not sure how it handles it.

Daniel A. White  2009-04-24 16:07:07
Yeah, this is the Persits component Katy and I mention above. It doesnt check the file size until it has finished uploading which is a shame.
Magnus Smith  2009-04-27 09:38:52
+2  A: 

In Persists, you can set the maximum filesize a user can upload:

Upload.SetMaxSize 100000, True

The "True" above shows that the file is to be rejected if over the Max size. If set to False then the file will be trucated.

See http://www.aspupload.com/object_upload.html#SetMaxSize

Katy  2009-04-24 16:21:34
thanks, but does it upload the whole file first, before it looks athow big it is?
Magnus Smith  2009-04-24 16:44:46
From the user manual:"A value set by SetMaxSize is applied to each uploaded file individually rather than an entire upload. Since AspUpload has no way of knowing in advance how many files there are in a POST and how large they are, it will always allow the upload process to go through, even if the very first file exceeds the specified limit"So the file will get uploaded, then if it fails it's truncated or deleted depending on the setting.
Katy  2009-04-27 08:33:44
Hmm, thats a shame - it means a 10Gb file would still hog the server for ages, rather than being kicked out as soon as it went over 2Mb (say). Thank you for looking that up for me though!
Magnus Smith  2009-04-27 09:37:40
+2  A: 

If you were using ASP.Net you can specify a maximum size of file in web.config (or machine.config), and ASP.Net will throw an error after the size is exceeded in the upload. That is to say, if you specify a limit of 4Mb, and someome tries to upload a 100Mb, .Net will complain as soon as it has uploaded more than 4Mb.

The property in question is maxRequestLength, which accorsing to MSDN "Specifies the limit for the input stream buffering threshold, in KB. This limit can be used to prevent denial of service attacks that are caused, for example, by users posting large files to the server."

For example.

<configuration>
  <system.web>
    <httpRuntime maxRequestLength="4000" ....

I am not sure if there is an equivalent in classic ASP though.

Tim C  2009-04-24 16:41:30
A: 

I've just found an article on how to limit size using a setting called 'AspMaxRequestEntityAllowed' in IIS: http://www.banmanpro.com/support2/File_Upload_limits.asp

However, it doesn't work - my server already has that setting at 200k and yet we are currently uploading 1Mb files ok!

Magnus Smith  2009-04-27 10:50:38
Is this because when uploading files the Content-Length header is not present in the http request?
Tim C  2009-04-27 12:33:27
Assuming chunked transfer encoding bypasses this.
Magnus Smith  2009-05-06 10:47:59
A: 

You can reject the oversized requests at the IIS level before they even get to your application by using Microsoft's UrlScan tool: http://technet.microsoft.com/en-us/security/cc242650.aspx

For IIS 6, it looks like you may not even need that. You should be able to set the MaxRequestEntityAllowed and ASPMaxRequestEntityAllowed metabase properties to your desired maximum value and the requests will be cut off at that point.

Chris Hynes  2009-04-27 16:04:26
My server already has ASPMaxRequestEntityAllowed at 200k and yet we are currently uploading 1Mb files ok! It seems to be ignoring it.
Magnus Smith  2009-04-28 09:57:12
Did you try setting both values? Or are the uploads using chunked transfer encoding? Also, I believe those settings only apply to ASP, not ASP.NET.
Chris Hynes  2009-04-28 17:51:45
I can only assume we are using chunked transfer encoding then (though I don't actually know what this is, sorry!).
Magnus Smith  2009-05-06 10:47:50

related questions

How would I go about implementing this algorithm?
Website got Hacked? Site got redirected
Can a unathorized user capture a ssl packet, resend it and login?
Is there an HTTP proxy tool that can substitute browsed content?
What is the difference between DoS and Brute Force attacks?
What is the legal definition of "hacking"?
How to determine an Oracle query without access to source code?
What kind of programming method do you prefer? Success vs. Freedom
How to read source code learn how to use large system
How to increment the TTL value on Windows?
How Can I Find Out *HOW* My Site Was Hacked? How Do I Find Site Vulnerabilities?
What harm can DBO do to a server?
Advice about forming Hackers Club
Is it relatively easy to hack Network Time Protocol(NTP)?
Is there a way I can retrieve sa password in sql server 2005
Reverse engineering war stories
What are some interesting, small Linux kernel projects to help learn the source?
How do I prevent replay attacks?
Can I put an ASP.Net session ID in a hidden form field?
How to store passwords in Winforms application?
What are good books about security, hacking, and computer forensics?
well written open source projects (for learning)?
Looking for a specific FireFox extension / program for Form posting
Tabbed file browsing in Windows
Found a critical bug, but the company doesn't care