[WEB SECURITY] File uploading vulnerabilities
Gleb Paharenko
gpaharenko at gmail.com
Wed Sep 10 13:27:35 EDT 2008
Hi.
See my comments inline.
2008/9/10 mike <mike9966 at rediffmail.com>:
>
> Hi,
>
> We have functionality in the web application, where an end user needs to
> upload .exe files on the server. The files are getting stored in a folder on
> the server.
>
> When I searched about the security issues related with file uploading, it is
> suggested that I need to perform virus check before uploading. The
> application is build on ASP with no database.
>
> 1. Can anyone point me to the ways to perform virus scanning on the files
> before uploading? Are thee any plug-in/component/web service available,
> which I can use to perform this action?
In case you store files on the filesystem. Good antivirus with
real-time protection will fieet your needs, though it will
dramatically reduce performance. Also there is protocols for content
filtering - icap or CVP.
>
> 2. If I remove the .exe extension and store file on the server, will that
> reduces any risk associated with virus/Trojans.
Not sure. I'm most Unix guy and there it won't help, but for windows
perhaps so-so.
>
> 3. Apart from virus check, what all things we need to keep in mind(from
> security) for file uploading issues.
>
google for "owasp file upload". Maybe this will help a bit:
http://www.owasp.org/index.php/File_System#File_upload
>
> Thanks in advance
>
> Regards
> Mike
>
>
--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list