[WEB SECURITY] File uploading vulnerabilities

Eric Rachner eric at rachner.us
Mon Sep 15 16:51:12 EDT 2008

Hi Mike,


Two comments from me:


First, your question would be better answered by Norton than the community
at large.  I'm not sure any of us are in a position to back up Norton's
claims of suitability for your particular purpose.


Second - and I was remiss for neglecting to say this in my original response
to your question - no matter which anti-virus engine you use, you should
consider running the AV engine in a dedicated, isolated environment, if
possible.  AV engines are a kind of attack surface, and a very large one at
that.  Check out the following presentation for more info on the subject:






- Eric


From: mike [mailto:mike9966 at rediffmail.com] 
Sent: Monday, September 15, 2008 7:28 AM
To: websecurity at webappsec.org
Subject: Re: RE: [WEB SECURITY] File uploading vulnerabilities


Hi all,

Thanks for the pointers. But, i have a further query about any Antivirus
(installed on the server) that automatically checks for virus whenever any
files are accessed (coming from Internet, removable disks, or email

A Norton AntiVirus Auto-Protect feature, which says

"Auto-Protect scans all files that are received from any source, such as the
Internet, removable disks, or email attachments. Auto-Protect scans files
for viruses, Trojan horses, and worms any time that the files are accessed,
such as when they are copied, moved, run, or opened"


Does this AntiVirus Auto-Protect feature can reduce virus threat and could
be considered as an solution for secure file uploading? 


On Sun, 14 Sep 2008 Boaz Shunami wrote :
>Hi Mike,
>Some more tips I can add:
>The risk with uploading is threefold:
>      A. The uploaded file takes over a vulnerability in the upload
>      B. Someone or something (e.g. a person or machine) executes the
>uploaded file.
>      C. One of your users downloads the uploaded file.
>The antivirus recommendations mentioned earlier will help you with B and
>In order to be secured against A, you need to verify your upload
>mechanism is not vulnerable, this can be done by using a known, tested,
>secured component or running security audit on your existing systems.
>Another precaution you may choose is to minimize the amount of
>interaction the upload component has with user supplied data or in other
>words - verify the input received from the client.
>Best Regards,
>Boaz Shunami, QSA
>Comsec Consulting
>-----Original Message-----
> From: Gleb Paharenko [mailto:gpaharenko at gmail.com]
>Sent: Wednesday, September 10, 2008 8:28 PM
>To: mike
>Cc: websecurity at webappsec.org
>Subject: Re: [WEB SECURITY] File uploading vulnerabilities
>See my comments inline.
>2008/9/10 mike <mike9966 at rediffmail.com>:
> >  
> > Hi,
> >
> > We have functionality in the web application, where an end user needs
> > upload .exe files on the server. The files are getting stored in a
>folder on
> > the server.
> >
> > When I searched about the security issues related with file uploading,
>it is
> > suggested that I need to perform virus check before uploading. The
> > application is build on ASP with no database.
> >
> > 1. Can anyone point me to the ways to perform virus scanning on the
> > before uploading? Are thee any plug-in/component/web service
> > which I can use to perform this action?
>In case you store files on the filesystem. Good antivirus with
>real-time protection will fieet your needs, though it will
>dramatically reduce performance. Also there is protocols for content
>filtering - icap or CVP.
> >
> > 2. If I remove the .exe extension and store file on the server, will
> > reduces any risk associated with virus/Trojans.
>Not sure. I'm most Unix guy and there it won't help, but for windows
>perhaps so-so.
> >
> > 3. Apart from virus check, what all things we need to keep in
> > security) for file uploading issues.
> >
>google for "owasp file upload". Maybe this will help a bit:
>  http://www.owasp.org/index.php/File_System#File_upload
> >
> > Thanks in advance
> >
> > Regards
> > Mike
> >
> >
>Best regards.
>Gleb Pakharenko.
>Join us on IRC: irc.freenode.net #webappsec
>Have a question? Search The Web Security Mailing List Archives:
>Subscribe via RSS:
>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>Join WASC on LinkedIn
>IMPORTANT: The contents of this email and any attachments are confidential.
They are intended for the
>named recipient(s) only.
>If you have received this email in error, please notify the system manager
or the sender immediately and do
>not disclose the contents to anyone or make copies thereof.
>*** eSafe scanned this email for viruses, vandals, and malicious content.


e-default.htm/1050715198 at Middle5/2401775_2394076/2397136/1?PARTNER=3&OAS_QUE
RY=null> Ebay


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080915/52af3be2/attachment.html>

More information about the websecurity mailing list