Reputation: 7300
Preventing a user from uploading an executable file or script in a given folder
On my website, users can upload static files (typically pictures) in a given folder.
I just saw this post by Scott Hanselman: http://www.hanselman.com/blog/BackToBasicsWhenAllowingUserUploadsDontAllowUploadsToExecuteCode.aspx
He recommends to add this in the web.config file to make sure that nothing can be executed in that folder:
<location path="upload">
<system.webServer>
<handlers accessPolicy="Read" />
</system.webServer>
</location>
This seems to work. As a test I put an .aspx file in the folder in question. If I try to access it I get an "access is denied" error message while I can still access the pictures.
What I don't understand is why the uploader still works? Doesn't it need the Write permission to save the pictures in the folder?
Upvotes: 1
Views: 1655
Answers (1)
Reputation: 1242
what is not clear? Here what Hanselman says :
A FIX FOR ARBITRARY CODE EXECUTION IN USER UPLOAD FOLDERS
What was the fix? Well, certainly not allowing someone to upload a file with a .aspx or .php extension for one, but also to mark the entire uploads folder as not executable! Here is the updated web.config:
note the bold text: but also mark the entire uploads folder as not executable....and in effect
<handlers accessPolicy="Read" />
it means that cannot execute a page like .php,.aspx and so on.
Upvotes: 1
Related Questions
- ASP.net MVC Restricting Upload files
- how to prevent uploading of exe file in asp.net mvc
- How can I get IIS to prevent script execution in a file upload directory?
- How to prevent access to a folder in ASP.NET
- Restrict users to upload zip file with folder inside
- Secure and Automated way of giving permissions for upload folder in ASP.NET C# web application?
- asp.net: prevent files from bots
- exe file upload prevention
- prevention of exe file upload in a website
- How do I secure a folder used to let users upload files?