[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] File uploading vulnerabilities
- From: "Eric Rachner" <eric@xxxxxxxxxx>
- Subject: RE: [WEB SECURITY] File uploading vulnerabilities
- Date: Wed, 10 Sep 2008 11:05:20 -0700
------=_NextPart_000_002A_01C91335.1F96A2D0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_002B_01C91335.1F96A2D0"
------=_NextPart_001_002B_01C91335.1F96A2D0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Mike,
1. Do the virus scan after the upload. If you don't, then it will be easy
for malicious users to bypass the virus scanner and upload malicious files.
2. You're on the right track, but go further: never let the user supply the
filename if you can help it. Generate a filename on the server side that is
not based on user-supplied data.
3. Yes - in my work as a penetration tester, I've found that there is no
more fertile ground for exploitation than issues with file upload/download
functionality. Here's some more advice along these lines:
- Ask yourself if you can avoid storing the upload as a file on disk.
Consider storing the file contents as a blob in a database table instead.
(This is a good alternative to the dangerous business of working with file
system paths & filenames.)
- Don't rely on file extensions for security purposes. For example, just
because the file extension is ".pdf" doesn't mean the file is a valid PDF,
or that it's safe to work with. File contents are user input, and ought to
be validated as such.
- Don't expose file system paths or names to users. Let users refer to
files by indices into a database table instead.
- Put user-accessible upload/download data on its own partition. By
separating it from the app & system partitions, you mitigate possible issues
related to resource exhaustion & directory traversal.
Hope that helps,
- Eric
From: mike [mailto:mike9966@rediffmail.com]
Sent: Wednesday, September 10, 2008 8:22 AM
To: websecurity@webappsec.org
Subject: [WEB SECURITY] File uploading vulnerabilities
Hi,
We have functionality in the web application, where an end user needs to
upload .exe files on the server. The files are getting stored in a folder on
the server.
When I searched about the security issues related with file uploading, it is
suggested that I need to perform virus check before uploading. The
application is build on ASP with no database.
1. Can anyone point me to the ways to perform virus scanning on the files
before uploading? Are thee any plug-in/component/web service available,
which I can use to perform this action?
2. If I remove the .exe extension and store file on the server, will that
reduces any risk associated with virus/Trojans.
3. Apart from virus check, what all things we need to keep in mind(from
security) for file uploading issues.
Thanks in advance
Regards
Mike
<http://adworks.rediff.com/cgi-bin/AdWorks/click.cgi/www.rediff.com/signatur
e-default.htm/1050715198@Middle5/2606998_2599290/2602379/1?PARTNER=3&OAS_QUE
RY=null> Image removed by sender. 578x38_banner2.gif
------=_NextPart_001_002B_01C91335.1F96A2D0
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; =
xmlns=3D"http://www.w3.org/TR/REC-html40";>
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Mike,<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>1. Do the virus scan <u>after</u> the upload. =
If you
don’t, then it will be easy for malicious users to bypass the =
virus
scanner and upload malicious files.<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>2. You’re on the right track, but go further: =
never
let the user supply the filename if you can help it. Generate a =
filename on
the server side that is not based on user-supplied =
data.<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>3. Yes – in my work as a penetration tester, =
I’ve
found that there is no more fertile ground for exploitation than issues =
with file
upload/download functionality. Here’s some more advice along =
these
lines:<o:p></o:p></span></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><span =
style=3D'font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'>- Ask yourself if you =
can
avoid storing the upload as a file on disk. Consider storing the =
file
contents as a blob in a database table instead. (This is a good
alternative to the dangerous business of working with file system paths =
&
filenames.)<o:p></o:p></span></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><span =
style=3D'font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span=
></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><span =
style=3D'font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'>- Don’t rely on =
file
extensions for security purposes. For example, just because the =
file
extension is “.pdf” doesn’t mean the file is a valid =
PDF, or
that it’s safe to work with. File contents are user input, =
and ought
to be validated as such.<o:p></o:p></span></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><span =
style=3D'font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span=
></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><span =
style=3D'font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'>- Don’t expose =
file
system paths or names to users. Let users refer to files by =
indices into
a database table instead.<o:p></o:p></span></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><span =
style=3D'font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span=
></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><span =
style=3D'font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'>- Put user-accessible
upload/download data on its own partition. By separating it from =
the app
& system partitions, you mitigate possible issues related to =
resource
exhaustion & directory traversal.<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hope that helps,<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>- Eric<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0in 0in 0in'>
<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> mike
[mailto:mike9966@rediffmail.com] <br>
<b>Sent:</b> Wednesday, September 10, 2008 8:22 AM<br>
<b>To:</b> websecurity@webappsec.org<br>
<b>Subject:</b> [WEB SECURITY] File uploading =
vulnerabilities<o:p></o:p></span></p>
</div>
<p class=3DMsoNormal><o:p> </o:p></p>
<p>&nbsp;<br>
Hi,<br>
<br>
We have functionality in the web application, where an end user needs to =
upload
.exe files on the server. The files are getting stored in a folder on =
the
server.<br>
<br>
When I searched about the security issues related with file uploading, =
it is
suggested that I need to perform virus check before uploading. The =
application
is build on ASP with no database. <br>
<br>
1. Can anyone point me to the ways to perform virus scanning on the =
files
before uploading? Are thee any plug-in/component/web service available, =
which I
can use to perform this action? <br>
<br>
2. If I remove the .exe extension and store file on the server, will =
that
reduces any risk associated with virus/Trojans.<br>
<br>
3. Apart from virus check, what all things we need to keep in mind(from
security) for file uploading issues.<br>
<br>
<br>
Thanks in advance<br>
<br>
Regards<br>
Mike <o:p></o:p></p>
<p class=3DMsoNormal =
style=3D'margin-bottom:12.0pt'><o:p> </o:p></p>
<table class=3DMsoNormalTable border=3D0 cellspacing=3D0 cellpadding=3D0 =
width=3D644
style=3D'width:483.0pt'>
<tr>
<td style=3D'padding:0in 0in 0in 0in'>
<p class=3DMsoNormal style=3D'line-height:11.25pt'><span =
style=3D'font-size:8.5pt;
font-family:"Verdana","sans-serif"'><a
=
href=3D"http://adworks.rediff.com/cgi-bin/AdWorks/click.cgi/www.rediff.co=
m/signature-default.htm/1050715198@Middle5/2606998_2599290/2602379/1?PART=
NER=3D3&OAS_QUERY=3Dnull"
target=3Dnew><span style=3D'border:solid windowtext =
1.0pt;padding:0in;text-decoration:
none'><img border=3D0 width=3D100 height=3D100 id=3D"_x0000_i1025"
src=3D"cid:~WRD000.jpg"; alt=3D"Image removed by sender. =
578x38_banner2.gif"></span></a><o:p></o:p></span></p>
</td>
</tr>
</table>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
</body>
</html>
------=_NextPart_001_002B_01C91335.1F96A2D0--
------=_NextPart_000_002A_01C91335.1F96A2D0
Content-Type: image/jpeg;
name="~WRD000.jpg"
Content-Transfer-Encoding: base64
Content-ID: <~WRD000.jpg>
/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0a
HBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIy
MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCABkAGQDASIA
AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA
AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3
ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm
p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA
AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx
BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK
U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3+iii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKA
CiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigD//2Q==
------=_NextPart_000_002A_01C91335.1F96A2D0--
Brought to you by http://www.webappsec.org
Search this site
|