[WEB SECURITY] File uploading vulnerabilities
vimala anand
vimalaasree.anand at gmail.com
Wed Sep 24 03:08:41 EDT 2008
Hi Mike,
As Eric suggested it better to get it cleared from Norton about this
functionaliy.And also since AV engines itself is a kind of attack surface it
is better to have defense in depth strategy by not just relying on
anti-virus alone.
Take other precautions like
1.Uploading files to a destination outside of the web application
directory.
2. Put user-accessible upload/download data on its own partition. By
separating it from the app & system partitions, you mitigate possible issues
related to resource exhaustion & directory traversal.
3.Don't expose file system paths or names to users. Let users refer to
files by indices into a database table instead.
This would help minimise the attack surface but not totally avoid it.
Thanks
Vimala
Application Security
On Tue, Sep 16, 2008 at 2:21 AM, Eric Rachner <eric at rachner.us> wrote:
> Hi Mike,
>
>
>
> Two comments from me:
>
>
>
> First, your question would be better answered by Norton than the community
> at large. I'm not sure any of us are in a position to back up Norton's
> claims of suitability for your particular purpose.
>
>
>
> Second – and I was remiss for neglecting to say this in my original
> response to your question – no matter which anti-virus engine you use, you
> should consider running the AV engine in a dedicated, isolated environment,
> if possible. AV engines are a kind of attack surface, and a very large one
> at that. Check out the following presentation for more info on the subject:
>
>
>
>
> http://www.nruns.com/aps/The_Death_of_AV_Defense_in_Depth-Revisiting_Anti-Virus_Software.pdf
>
>
>
> Cheers,
>
>
>
> - Eric
>
>
>
> *From:* mike [mailto:mike9966 at rediffmail.com]
> *Sent:* Monday, September 15, 2008 7:28 AM
> *To:* websecurity at webappsec.org
> *Subject:* Re: RE: [WEB SECURITY] File uploading vulnerabilities
>
>
>
>
> Hi all,
>
> Thanks for the pointers. But, i have a further query about any Antivirus
> (installed on the server) that automatically checks for virus whenever any
> files are accessed (coming from Internet, removable disks, or email
> attachments).
>
>
> A Norton AntiVirus Auto-Protect feature, which says
>
> "Auto-Protect scans all files that are received from any source, such as
> the Internet, removable disks, or email attachments. Auto-Protect scans
> files for viruses, Trojan horses, and worms any time that the files are
> accessed, such as when they are copied, moved, run, or opened"
>
>
> http://service1.symantec.com/SUPPOT/nav.nsf/docid/1999101412534806?OpenDocument&seg=en&lg=en&ct=us
>
> Does this AntiVirus Auto-Protect feature can reduce virus threat and could
> be considered as an solution for secure file uploading?
>
>
> Thanks\
> ~Mike
>
>
> On Sun, 14 Sep 2008 Boaz Shunami wrote :
> >Hi Mike,
> >
> >Some more tips I can add:
> >
> >The risk with uploading is threefold:
> > A. The uploaded file takes over a vulnerability in the upload
> >mechanism.
> > B. Someone or something (e.g. a person or machine) executes the
> >uploaded file.
> > C. One of your users downloads the uploaded file.
> >
> >The antivirus recommendations mentioned earlier will help you with B and
> >C.
> >
> >In order to be secured against A, you need to verify your upload
> >mechanism is not vulnerable, this can be done by using a known, tested,
> >secured component or running security audit on your existing systems.
> >
> >Another precaution you may choose is to minimize the amount of
> >interaction the upload component has with user supplied data or in other
> >words - verify the input received from the client.
> >
> >Best Regards,
> >
> >Boaz Shunami, QSA
> >Comsec Consulting
> >
> >-----Original Message-----
> > From: Gleb Paharenko [mailto:gpaharenko at gmail.com]
> >Sent: Wednesday, September 10, 2008 8:28 PM
> >To: mike
> >Cc: websecurity at webappsec.org
> >Subject: Re: [WEB SECURITY] File uploading vulnerabilities
> >
> >Hi.
> >
> >See my comments inline.
> >
> >2008/9/10 mike <mike9966 at rediffmail.com>:
> > >
> > > Hi,
> > >
> > > We have functionality in the web application, where an end user needs
> >to
> > > upload .exe files on the server. The files are getting stored in a
> >folder on
> > > the server.
> > >
> > > When I searched about the security issues related with file uploading,
> >it is
> > > suggested that I need to perform virus check before uploading. The
> > > application is build on ASP with no database.
> > >
> > > 1. Can anyone point me to the ways to perform virus scanning on the
> >files
> > > before uploading? Are thee any plug-in/component/web service
> >available,
> > > which I can use to perform this action?
> >
> >In case you store files on the filesystem. Good antivirus with
> >real-time protection will fieet your needs, though it will
> >dramatically reduce performance. Also there is protocols for content
> >filtering - icap or CVP.
> >
> > >
> > > 2. If I remove the .exe extension and store file on the server, will
> >that
> > > reduces any risk associated with virus/Trojans.
> >
> >Not sure. I'm most Unix guy and there it won't help, but for windows
> >perhaps so-so.
> >
> > >
> > > 3. Apart from virus check, what all things we need to keep in
> >mind(from
> > > security) for file uploading issues.
> > >
> >
> >google for "owasp file upload". Maybe this will help a bit:
> > http://www.owasp.org/index.php/File_System#File_upload
> >
> >
> >
> > >
> > > Thanks in advance
> > >
> > > Regards
> > > Mike
> > >
> > >
> >
> >
> >
> >--
> >Best regards.
> >Gleb Pakharenko.
> >http://gpaharenko.livejournal.com
> >http://www.linkedin.com/in/gpaharenko
> >
> >------------------------------------------------------------------------
> >----
> >Join us on IRC: irc.freenode.net #webappsec
> >
> >Have a question? Search The Web Security Mailing List Archives:
> >http://www.webappsec.org/lists/websecurity/archive/
> >
> >Subscribe via RSS:
> >http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> >Join WASC on LinkedIn
> >http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> >**********************************************************************************************
> >IMPORTANT: The contents of this email and any attachments are
> confidential. They are intended for the
> >named recipient(s) only.
> >If you have received this email in error, please notify the system manager
> or the sender immediately and do
> >not disclose the contents to anyone or make copies thereof.
> >*** eSafe scanned this email for viruses, vandals, and malicious content.
> ***
>
> >**********************************************************************************************
> >
>
>
>
> [image: Ebay]<http://adworks.rediff.com/cgi-bin/AdWorks/click.cgi/www.rediff.com/signature-default.htm/1050715198@Middle5/2401775_2394076/2397136/1?PARTNER=3&OAS_QUERY=null>
>
>
>
--
--Warm Regards
Vimalaasree.A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080924/ff9eae8a/attachment.html>
More information about the websecurity
mailing list