Re: [WEB SECURITY] File uploading vulnerabilities

["Gleb Paharenko" <gpaharenko@xxxxxxxxx>]

Hi.

See my comments inline.

2008/9/10 mike <mike9966@xxxxxxxxxxxxxx>:
> &nbsp;
> Hi,
>
> We have functionality in the web application, where an end user needs to
> upload .exe files on the server. The files are getting stored in a folder on
> the server.
>
> When I searched about the security issues related with file uploading, it is
> suggested that I need to perform virus check before uploading. The
> application is build on ASP with no database.
>
> 1. Can anyone point me to the ways to perform virus scanning on the files
> before uploading? Are thee any plug-in/component/web service available,
> which I can use to perform this action?

In case you store files on the filesystem. Good antivirus with
real-time protection will fieet your needs, though it will
dramatically reduce performance. Also there is protocols for content
filtering - icap or CVP.

>
> 2. If I remove the .exe extension and store file on the server, will that
> reduces any risk associated with virus/Trojans.

Not sure. I'm most Unix guy and there it won't help, but for windows
perhaps so-so.

>
> 3. Apart from virus check, what all things we need to keep in mind(from
> security) for file uploading issues.
>

google for "owasp file upload". Maybe this will help a bit:
  http://www.owasp.org/index.php/File_System#File_upload



>
> Thanks in advance
>
> Regards
> Mike
>
>



-- 
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA