ansaurus

Question

How do I secure a folder used to let users upload files?

Answer 1

+1 A:

How will the user upload the photos? If you are writing an ASP page to accept the uploaded files then only the user that IIS runs as will need write permission to the folder, since IIS will be doing the file I/O. Your ASP page should check the file size and have some form of authentication to prevent hackers from filling your hard drive.

If you are setting up an FTP server or some other file transfer method, then the answer will be specific to the method you choose.

Ben Williams 2008-08-22 15:03:59

yes, I'm using an ASP page to do the upload, but...It is safe to give IUSR write permission to the folder? If a hacker try to post to same folder, IIS will be involved too.

Eduardo Molteni 2008-09-08 14:23:26

it's probably the most convenient method. Another solution would be to connect back to the server itself and re-upload the uploaded file via FTP for example, but the security benefit for the trouble is not really worth it.

pilif 2008-09-08 14:37:13

Answer 2

A:

You'll have to grant write permissions, but you can check the file's mime type to ensure an image. You can use FSO as so:

set fs=Server.CreateObject("Scripting.FileSystemObject")
set f=fs.GetFile("upload.jpg")
'image mime types or image/jpeg or image/gif, so just check to see if "image" is instr
if instr(f.type, "image") = 0 then
   f.delete
end if
set f=nothing
set fs=nothing

Also, most upload COM objects have a type property that you could check against before writing the file.

chrisofspades 2008-08-23 17:17:00

You are getting it wrong. I'm asking about hackers bypassing the ASP page.

Eduardo Molteni 2008-09-08 14:16:04

You also cannot guarantee that the MIME type is correct since this is passed by the browser (as I recall). One should open the image via something like ImageMagik and check that the dimensions can be read properly.

nlucaroni 2008-09-08 14:31:36

Answer 3

+1 A:

also, I would recommend not to let the users upload into a folder that's accessible from the web. Even the best MIME type detection may fail and you absolutely don't want users to upload, say, an executable disguised as a jpeg in a case where your MIME sniffing fails, but the one in IIS works correctly.

In the PHP world it's even worse, because an attacker could upload a malicious PHP script and later access it via the webserver.

Always, always store the uploaded files in a directory somewhere outside the document root and access them via some accessing-script which does additional sanitizing (and at least explicitly sets a image/whatever MIME type.

pilif 2008-09-08 14:35:25

I'm accepting the answer but I'm still not sure if it is a really must having the file in a directory outside the document root. It will add some performance problems I think.

Eduardo Molteni 2008-09-11 17:39:32

if you watch for correctly working caching, the performance problems will be negligible. I've answered how to do this in another question here: http://beta.stackoverflow.com/questions/48555/best-way-to-compress-html-css-js-with-moddeflate-and-modgzip-disabled#48761

pilif 2008-09-11 18:18:49

Answer 4

A:

Your best bang for the buck would probably be to use an upload component (I've used ASPUpload) that allows you to upload/download files from a folder that isn't accessible from the website.

You'll get some authentication hooks and won't have to worry about someone casually browsing the folder and downloading the files (or uploading in your case), since the files are only available through the component.

2008-09-16 21:57:52

ansaurus

tags:

views:

answers:

How do I secure a folder used to let users upload files?

related questions