Our legacy ASP.NET 2.0 website, running in IIS6 on Windows 2003 Server, accepts lots of user uploaded and user downloadable files. Not page content; asset files like PDFs and PNGs mostly. However it is of course advisable not to let the naughty buggers upload ASPX files and suddenly be able to execute code on our server.
So ... you'd think we could just set "Execute permissions: none" in the appropriate folder where user uploaded files end up, and that'd be the end of it. Alas.
User uploaded files end up in folders named like these patterns: (nnnn, kkkk and llll represent digit strings of varying length)
/sites/nnnn/files/ftp
/sites/nnnn/files/orders/kkkk/llll
/sites/nnnn/files/proofs
/sites/nnnn/files/webFiles
BUT ... there are also CSS files stored in folders like these:
/sites/nnnn/files/skins/kkkk/*.css
And the CSS files are actually interpreted as ASPX code, so that color palette substitutions can be passed in the querystring, like this:
/sites/2132/skins/83/layout.css?palette=cc33dd,aa22bb,1155ff
So, "Execute permissions: none" is a no-no at the /sites level. And I really would rather not do it at /sites/nnnn/files, individually for a few thousand nnnn.
So I've been told URLScan 3.1 is the ticket, but after an hour or two of staring at the documentation I'm more confused than ever.
Any ideas?
