99% of programmers leave Uploaded area open for hackers to enter into system

My this article is only a small suggestion to improve your Security.

The easiest way to upload file in ASP.NET or ASP or PHP is simple as we just make one directory with Write access in our website.

(Consider IIS Scenario, IIS requires IUSR_MachineName user to have certain rights on file system to access it in web application)

Lets consider this folder/directory's name to be UploadedFiles

and Lets consider WWWROOT be our website root folder.

So folder /WWWROOT/UploadedFiles has now IUSR_MachineName write and read access. And by default read and execute access is already there for entire /WWWROOT and its subfolders and files.
  1. You upload the file called ListDatabaseUsers.aspx in /WWWROOT/UploadedFiles
  2. You access url something.com/UploadedFiles/ListDatabaseUsers.aspx
  3. Here is the big security issue because hacker can access the recent script file uploaded
  4. And the file may successfully show all database users
  5. Because every programmer knows that your database connections are stored in some config files or in application variable
  6. By navigating Server Variables people can know secrete passwords of your website and database connections
Possible Solutions
There are only two solutions, Either control the files that are uploaded by successfully checking its extension and MIME types. Or Do not put your Uploaded files directly under any open directory under website that is, to stop someone to execute the uploaded script. Script files must be uploaded through FTP only.
Look at the directory structure

c:\Websites\WWWROOT\ <IIS has read and execute rights by direct URL access>
\images
\user
\UploadedFiles <IIS has write access as well>

You must create
c:\IIS-Hidden-WebSites\WWWROOT\
\UploadedFiles

Your Upload.aspx file must upload and store file under IIS-Hidden-Websites folder, and none of website's root or virtual directory should point to this folder.

You must add extra Download.aspx file, which can read the file by using File System API from the IIS-Hidden-Websites folder and write the binary file content to client.

So to access file, user must type url Download.aspx?File=filename.ext , this is safe url because IIS will download this file as binary and it can never be executed because these files can not be referenced by any url.
The article is very basic and very primitive, but I hope I have tried to explain enough.

 

 

 

 

Top