Re: [WEB SECURITY] File uploading vulnerabilities

["Simone Onofri" <simone.onofri@xxxxxxxxx>]

Dear Mike,

Check also if users load scripts (also .asp files) which can be
rootkits, shell or something. I've seen a lof of this for PHP, more
for ASP but there are scripts for all languages.

Cheers,

Simone

On Wed, Sep 10, 2008 at 5:22 PM, mike <mike9966@xxxxxxxxxxxxxx> wrote:
> &nbsp;
> Hi,
>
> We have functionality in the web application, where an end user needs to
> upload .exe files on the server. The files are getting stored in a folder on
> the server.
>
> When I searched about the security issues related with file uploading, it is
> suggested that I need to perform virus check before uploading. The
> application is build on ASP with no database.
>
> 1. Can anyone point me to the ways to perform virus scanning on the files
> before uploading? Are thee any plug-in/component/web service available,
> which I can use to perform this action?
>
> 2. If I remove the .exe extension and store file on the server, will that
> reduces any risk associated with virus/Trojans.
>
> 3. Apart from virus check, what all things we need to keep in mind(from
> security) for file uploading issues.
>
>
> Thanks in advance
>
> Regards
> Mike
>
>



-- 
Simone Onofri
http://www.siatec.net/

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA