How do I secure a folder used to let users upload files? - security

I have a folder in my web server used for the users to upload photos using an ASP page.
Is it safe enough to give IUSR write permissions to the folder? Must I secure something else?
I am afraid of hackers bypassing the ASP page and uploading content directly to the folder.
I'm using ASP classic and IIS6 on Windows 2003 Server. The upload is through HTTP, not FTP.
Edit: Changing the question for clarity and changing my answers as comments.

also, I would recommend not to let the users upload into a folder that's accessible from the web. Even the best MIME type detection may fail and you absolutely don't want users to upload, say, an executable disguised as a jpeg in a case where your MIME sniffing fails, but the one in IIS works correctly.
In the PHP world it's even worse, because an attacker could upload a malicious PHP script and later access it via the webserver.
Always, always store the uploaded files in a directory somewhere outside the document root and access them via some accessing-script which does additional sanitizing (and at least explicitly sets a image/whatever MIME type.

How will the user upload the photos? If you are writing an ASP page to accept the uploaded files then only the user that IIS runs as will need write permission to the folder, since IIS will be doing the file I/O. Your ASP page should check the file size and have some form of authentication to prevent hackers from filling your hard drive.
If you are setting up an FTP server or some other file transfer method, then the answer will be specific to the method you choose.

You'll have to grant write permissions, but you can check the file's mime type to ensure an image. You can use FSO as so:
set fs=Server.CreateObject("Scripting.FileSystemObject")
set f=fs.GetFile("upload.jpg")
'image mime types or image/jpeg or image/gif, so just check to see if "image" is instr
if instr(f.type, "image") = 0 then
f.delete
end if
set f=nothing
set fs=nothing
Also, most upload COM objects have a type property that you could check against before writing the file.

Your best bang for the buck would probably be to use an upload component (I've used ASPUpload) that allows you to upload/download files from a folder that isn't accessible from the website.
You'll get some authentication hooks and won't have to worry about someone casually browsing the folder and downloading the files (or uploading in your case), since the files are only available through the component.

Related

Joomla malicious file upload and cross site scripting

My site is under security audit to get the security certification. After audit they gave me two security issues to look at.
Stored Cross Site Scripting: The application must implement server side validation for all user-entered inputs. Only expected values should be accepted. Script tags should be rejected. All user inputs should be sanitized.
Malicious File Upload
I have added the at filter tags in Joomla global configuration text filters. And also though I have clearly stated for all file upload elements to only use .jpg,.jpeg,.png extensions, I can still upload .php extension files.
How can we rectify these two issues?
Regards
Use the defines.php file to clean the POST data before it reaches the Joomla site, and block any request with $_FILES in it.
If your website needs to allow users to upload files, then make sure that these files only consist of specific file types, and, if you don't need the external world to have access to these files, then block access to these files (in the folder you have them uploaded to) using an htaccess rule.

How to prevent users from browsing certain files of my website

I have recently launched a website on GoDaddy hosting. I have keept some images and JavaScript files used in website, in separate folders. I want to prevent the users from browsing those images and files by simply appending the folder and file name in the website URL. For example
www.example.com/images/logo.png
If I understand correctly, you want to have html file with images, that shouldn't be accessible alone? If yes, then it cannot be done. You can watch for correct HTTP Referrer header, but it can be simply faked and it also makes it inaccessible for browsers that don't send referrer or having sending it forbidden for "privacy" reasons.
If you want hide files to be accessible only by server side scripts, ftp/scp, then you can try to use .htaccess (if GoDaddy runs on Apache) and correct configuration: https://httpd.apache.org/docs/2.2/howto/access.html
Another way could be hiding that files and creating one-shot token like this:
<img src=<?pseudocode GEN_TOKEN("file.jpg") ?> /> with another file serving these hidden files just for generated token, then deleting it from DB. Nevertheless, this will not protect anybody from downloading or accessing these files, if they want...
But, anyway, try to clarify your question better...
If you are keeping images/files in folder which is open to public, I guess you kept in that folder for purpose, you want public to access those images and files.
How public know images file name? Stop file content listing for your web site.
I am not aware which language you are using on web server, but in ASP.NET you may write module/ middle ware which can intercept in coming request and based on your logic (e.g. authentication and authorization) you can restrict access. All modern languages support this kind of functionality.

Find files in website directory

Let's say there's a website www.example.com/user/john. Accessing that link takes you to www.example.com/user/john/index.html.
There are files like www.example.com/user/john/picture.png and www.example.com/user/john/document.html. These are also accessible to the public, but there's no link to these from index.html.
Is there a systematic way to find out these files? I'm asking because I'm going to set up my website, and I also want to put up a few files that I don't necessarily want every one to see, only people who I give the link to. So I'm wondering how easy/hard it is to find out that those files exist in my directory.
Most importantly you have to switch off the possibility to just browse the directory with the browser. Every server has its own way to switch this off. Then you can use the proposed way of "security through obscurity".
Another way can be, to have a specific folder whos access is restricted by a http basic authentication. This can be configured in the .htaccess file which you put in the root folder of your directory you want to share only with specific people.
Just google ".htacces" and "basic authentication".
HTTP does not provide a directory listing method as such. Most web servers can be set up to provide a HTML-formatted directory listing if an index file such as index.html does not exist. If you provide an index file so that autoindexing does not happen (or if you disable autoindex by web server configuration), and if your "hidden" file names are hard to guess, they should be pretty hard to find. I sometimes publish such files in a directory with a random gibberish name.
"Share links" used by Dropbox, Picasa and other services do the same, they just use longer random file/directory names or random parameters in the URL.
To provide real security you'll want to set up https (SSL/TLS) so that any eavesdroppers on the network cannot easily look at the requested URLs, and authentication such as HTTP Basic Authentication with username/password. For less sensitive stuff, http to a random hidden directory will often do fine.

Block visitors access to .xml files but allow flash to open them

I want to deny permission of visitors to access http://example.com/xml_folder/xml_file1.xml and any other .xml file in the xml_folder. I can do that easily modifying folder permisions.
The problem is that I also have a small flash on my website that needs to access those .xml files and once I remove "read" from "Public permissions" the flash can't access the files either (which I think is pretty normal).
So .. my question is: how do I restrict visitors to access the .xml files but not the flash.swf file ?
Btw, it's running on a linux vps.
This is not possible. If Flash can retrieve the file then so can a user who watches with FireBug and captures the URL.
Try hosting a password-protected HTTPS virtual server with just the XML files. Use the username and password in the flash (This flash code must hide the user name and password as well). I'm not familiar with flash programming. But I hope you get the idea.

How to protect my site user file from a website downloader

Hi suppose my site as www.xyz.com and i have a folder as _Userfile which have file uploaded by my users and if they download there file the link is www.xyz/_Userfile/userfile.doc now i want to learn this:
if some one has the link to other user file he can download it i want to solve this(privacy)
2: protect my site file from website downloader.
ASAP plz
Also i am using virtual directory to save my user files so i need a way to protect any type of file to be downloaded by any kind of software
You'll have to implement an authentication mechanism, and to serve those files through a server-side application (in PHP, Java or whatever), that checks if the authenticated user has the right to access a resource, then reads the resource from the disk and writes it to the HTTP response. The documents should be placed in a location that is not directly accessible through HTTP.
Just add index.html file in the folder _Userfile... This will prevent others accessing the whole directory listing in _UserFile folder! Simple isn't it?

Resources