I have developed an asp.net application and windows desktop application system. My clients can upload images to asp.net application(only one folder). So if someone uploads a shell script and executes, one can take the other clients' database files. Asp.net application works under windows server 2008 r2(web server edition) OS and IIS 7.5.it has administrator rights for now. I don't have a domain and domain controller so i don't have advanced user rights management. And "applicationpoolidentiy" doesn't help(i even can't open page.). I thought maybe i can deny executing of uploaded scripts? Is it possible. Or are there any better ways to secure server from uploaded scripts?
Asked
Active
Viewed 313 times
1
-
*cough* http://serverfault.com *cough* – Nov 09 '11 at 18:36
1 Answers
0
You should change your upload page to reject all files with extensions that aren't images using an extension whitelist.
For additional security, you should configure IIS to not execute scripts in that directory.
SLaks
- 868,454
- 176
- 1,908
- 1,964
-
1yes but if someone uploads a file with bmp or png extension instead of aspx,asp extension or just uploads a file within shell code, iis still execute that. – Safak Serdar Kapci Nov 09 '11 at 18:34
-
@ŞafakKapçı: Wrong. IIS executes files based on extensions, not contents. – SLaks Nov 09 '11 at 18:35
-
thank you @SLaks. i will configure folder for user from file options. – Safak Serdar Kapci Nov 09 '11 at 18:40