[WEB SECURITY] File uploading vulnerabilities

Eric Rachner eric at rachner.us
Mon Sep 15 16:51:12 EDT 2008


Hi Mike,

 

Two comments from me:

 

First, your question would be better answered by Norton than the community
at large.  I'm not sure any of us are in a position to back up Norton's
claims of suitability for your particular purpose.

 

Second - and I was remiss for neglecting to say this in my original response
to your question - no matter which anti-virus engine you use, you should
consider running the AV engine in a dedicated, isolated environment, if
possible.  AV engines are a kind of attack surface, and a very large one at
that.  Check out the following presentation for more info on the subject:

 

http://www.nruns.com/aps/The_Death_of_AV_Defense_in_Depth-Revisiting_Anti-Vi
rus_Software.pdf

 

Cheers,

 

- Eric

 

From: mike [mailto:mike9966 at rediffmail.com] 
Sent: Monday, September 15, 2008 7:28 AM
To: websecurity at webappsec.org
Subject: Re: RE: [WEB SECURITY] File uploading vulnerabilities

 

  
Hi all,

Thanks for the pointers. But, i have a further query about any Antivirus
(installed on the server) that automatically checks for virus whenever any
files are accessed (coming from Internet, removable disks, or email
attachments). 


A Norton AntiVirus Auto-Protect feature, which says

"Auto-Protect scans all files that are received from any source, such as the
Internet, removable disks, or email attachments. Auto-Protect scans files
for viruses, Trojan horses, and worms any time that the files are accessed,
such as when they are copied, moved, run, or opened"

http://service1.symantec.com/SUPPOT/nav.nsf/docid/1999101412534806?OpenDocum
ent&seg=en&lg=en&ct=us

Does this AntiVirus Auto-Protect feature can reduce virus threat and could
be considered as an solution for secure file uploading? 


Thanks\
~Mike


On Sun, 14 Sep 2008 Boaz Shunami wrote :
>Hi Mike,
>
>Some more tips I can add:
>
>The risk with uploading is threefold:
>      A. The uploaded file takes over a vulnerability in the upload
>mechanism.
>      B. Someone or something (e.g. a person or machine) executes the
>uploaded file.
>      C. One of your users downloads the uploaded file.
>
>The antivirus recommendations mentioned earlier will help you with B and
>C.
>
>In order to be secured against A, you need to verify your upload
>mechanism is not vulnerable, this can be done by using a known, tested,
>secured component or running security audit on your existing systems.
>
>Another precaution you may choose is to minimize the amount of
>interaction the upload component has with user supplied data or in other
>words - verify the input received from the client.
>
>Best Regards,
>
>Boaz Shunami, QSA
>Comsec Consulting
>
>-----Original Message-----
> From: Gleb Paharenko [mailto:gpaharenko at gmail.com]
>Sent: Wednesday, September 10, 2008 8:28 PM
>To: mike
>Cc: websecurity at webappsec.org
>Subject: Re: [WEB SECURITY] File uploading vulnerabilities
>
>Hi.
>
>See my comments inline.
>
>2008/9/10 mike <mike9966 at rediffmail.com>:
> >  
> > Hi,
> >
> > We have functionality in the web application, where an end user needs
>to
> > upload .exe files on the server. The files are getting stored in a
>folder on
> > the server.
> >
> > When I searched about the security issues related with file uploading,
>it is
> > suggested that I need to perform virus check before uploading. The
> > application is build on ASP with no database.
> >
> > 1. Can anyone point me to the ways to perform virus scanning on the
>files
> > before uploading? Are thee any plug-in/component/web service
>available,
> > which I can use to perform this action?
>
>In case you store files on the filesystem. Good antivirus with
>real-time protection will fieet your needs, though it will
>dramatically reduce performance. Also there is protocols for content
>filtering - icap or CVP.
>
> >
> > 2. If I remove the .exe extension and store file on the server, will
>that
> > reduces any risk associated with virus/Trojans.
>
>Not sure. I'm most Unix guy and there it won't help, but for windows
>perhaps so-so.
>
> >
> > 3. Apart from virus check, what all things we need to keep in
>mind(from
> > security) for file uploading issues.
> >
>
>google for "owasp file upload". Maybe this will help a bit:
>  http://www.owasp.org/index.php/File_System#File_upload
>
>
>
> >
> > Thanks in advance
> >
> > Regards
> > Mike
> >
> >
>
>
>
>--
>Best regards.
>Gleb Pakharenko.
>http://gpaharenko.livejournal.com
>http://www.linkedin.com/in/gpaharenko
>
>------------------------------------------------------------------------
>----
>Join us on IRC: irc.freenode.net #webappsec
>
>Have a question? Search The Web Security Mailing List Archives:
>http://www.webappsec.org/lists/websecurity/archive/
>
>Subscribe via RSS:
>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>Join WASC on LinkedIn
>http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>***************************************************************************
*******************
>IMPORTANT: The contents of this email and any attachments are confidential.
They are intended for the
>named recipient(s) only.
>If you have received this email in error, please notify the system manager
or the sender immediately and do
>not disclose the contents to anyone or make copies thereof.
>*** eSafe scanned this email for viruses, vandals, and malicious content.
***
>***************************************************************************
*******************
>

 


 
<http://adworks.rediff.com/cgi-bin/AdWorks/click.cgi/www.rediff.com/signatur
e-default.htm/1050715198 at Middle5/2401775_2394076/2397136/1?PARTNER=3&OAS_QUE
RY=null> Ebay

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080915/52af3be2/attachment.html>


More information about the websecurity mailing list