Great Ideas. Always Flowing.

We are not happy until you are happy. Client satisfaction guaranteed. Whatever your needs and requirements, we have the skills and resources for the job!

Recently Viewed...

To help you navigate to pages you most recently visited, select from the links below.    
SharePoint Search Results Customizations
Joomla VS DotNetNuke

Popular Tags...

Tags

SnowCovered Top Sellers

Frustrated over the lack of customization for your user's registration fields? Dynamically setup your DNN Portal with custom registration fields, layout, questions, and other core integration options......

Ultra Video Gallery is a brother product of Ultra Media Gallery, UVG allows you to upload videos in various format and automatically encode them to flv or H264 format, you also can add videos from internet or record live videos from your webcam.

Build high performance, completely customizable data-entry forms and views driven by your DNN and external databases. New built-in tools make it a snap to quickly create data entry forms, data views, and even database tables. Plus, add your own HTML, CSS, Javascript, SQL commands, stored procedures,

The most advanced DotNetNuke shopping cart on the planet. Easy to use e-Commerce, Secure Shopping Cart Software and SEO friendly. B2C / B2B Ecommerce Sites.

One stop solution for events calendar and events registration! FREE DOWNLOAD is available now!

Secure Programming Tips - Handling File Uploads

Week 6: Handling File Uploads


Online photo albums, document repositories, content management systems, all of these applications have one thing in common, they generally allow a user to upload files to a remote server. A server, that in most cases, hosts numerous other applications. A server that may store extremely sensitive customer information. A server, that if compromised, could result in the theft of customer records, confidential corporate information, or potentially compromise the entire corporate network. It's true, even the simplest thing of letting a user upload an image to your server, could result in the complete compromise of your entire corporate network. When's the last time you performed proper security testing on your upload functionality?

When allowing user's to upload files to your server, there are several areas we must pay particular attention to. These areas include proper input validation of valid file types, the location the uploaded files will be stored and the various permissions associated with the file storage. A simple mistake in anyone or all of these areas can result in a catastrophic compromise of your server. So it is absolutely essential when allowing a user to upload files to your server, you put your best security foot forward and enforce strict rules associated with this functionality.

Generally, when we allow a user to upload a file to our server we put a restriction on the acceptable file types we will allow them to upload. In some cases we may allow image files, such as .jpg, .gif, .png, etc. Whereas in other cases, such as that of a document repository, we may allow files such as .doc, .pdf, .xls, etc. In either case we want to restrict the types of files to a predefined list and disallow all other types of files. The only guaranteed manner we can enforce proper file type restrictions is through proper input validation. This validation must occur on both the client, as well as the server (input validation should always be done in both locations). The validation must check several things, including the file extension, the content-type and the file name itself.

Proper input validation must be used to ensure the file type the user is attempting to upload is an allowable file type. The easiest way to perform the first part of the file type validation is to check the extension of the file the user is attempting to upload. Figure 1 shows a sample JavaScript function that can be used to perform client-side validation of a file.

Figure 1



function CheckFileExt(fileName, allowedFileTypes)
{
 var dot;
 var fileType;

 dot = fileName.split(".");
 fileType = "." dot[dot.length-1];

 if(allowedFileTypes.join(".").indexOf(fileType) != -1)
 {
 return true;
 }
 else
 {
 alert("Invalid File Type!");
 return false;
 }
}

In order to call the validation script above we will use the OnChange event of the file input control, as seen in Figure 2.

Figure 2


OnChange="return CheckFileExt(this.value, ['gif', 'jpg', 'png', 'jpeg']);"

The OnChange event passes the file name the user is attempting to upload, as well as a comma separated list of allowed file extensions. The function seen in Figure 1, will take file name, strip the extension and compare it to the list of allowed extensions. If the extension is allowed the page will allow the user to continue. However, if the extension is not allowed a JavaScript alert box will pop-up informing the user the file type is invalid. There is one major issue with this though. If the user has turned off JavaScript in their browser it will render our validation function useless. This is why it is imperative to ensure the validation is performed not only on the client, but on the server as well.

The next area to consider for validation is the content-type and content itself. We can't solely trust a file by its extension alone, we must validate additional areas of it to ensure it is safe. It wouldn't be difficult for a malicious user to place the text seen in Figure 3 into a file and save it as a PDF document. This would allow the malicious user to bypass the file extension validation, assuming a PDF document was allowed, without the file actually being a valid PDF document.

Figure 3 The script tag below has been modified to render, rather than execute in your browser.


-%PDF < script>alert('Not A Valid PDF Document');< /script>

The text above placed into a file and saved as a PDF document, would not only bypass the file extension validation, but it would also bypass the content-type validation. Since the text contains a valid PDF signature ("-%PDF"), the content-type will assume it is a valid PDF document. The validation process must also validate the content of the file itself. By validating the actual content we would be able to make the determination that the file was not a valid PDF document.

The last area of input validation we need to look at is the actual file name. We would need to perform some validation to ensure the file name does not contain a characters that could be used maliciously. Characters such as < > /, etc. could be used maliciously to execute script or perform a directory traversal attack. Another cause for concern is a null byte(%00). Most servers interpret the null byte character as the end of a line or statement. Thus a file named "Test.asp%00.jpg", would bypass our file extension validation, and potentially our content-type validation. However, if the file were called directly in the browser by typing "http://mydomain.com/Test.asp%00.jpg". The server would interpret that everything after the should be dropped, thus the request would be changed to "http://mydomain.com/Test.asp". We'll see in the next section why this could be a major cause for concern.

Now that we have a better idea of how to perform proper validation on an uploaded file, we need determine where we are going to store the files a user has uploaded. Obviously a database is a bad place to store uploaded files. We would need to store the files in a server's file system. Most developers make the mistake of storing uploaded files directly with the web root. The primary issue with this is if a malicious user can determine the link to a file, they could possibly, depending on access permissions, directly request the file just by typing the URL into the address bar in their browser. This could potentially lead to the unnecessary disclosure of sensitive information. Another potential issue with storing uploaded files within the web root, is the possibility that the folder containing the files could allow the execution of scripts or executables.

If a malicious user were able to bypass our validation process and upload the fake PDF document, and if the file was stored within the web root, when a user loaded that document in their browser the script would execute. Now let's consider the larger issue. Let's say instead of JavaScript being placed in the PDF document we place executable ASP script code. Let's also assume we bypassed the validation by changing the file name to "Test.asp%00.pdf". If this file was stored in the web root and this folder allowed for script execution. A malicious user could directly request the file by changing the URL in their browser to "http://mydomain.com/Test.asp%00.pdf", which as mentioned earlier would be interpreted as "http://mydomain.com/Test.asp". The result would be the ASP code inside the document being executed and the result of whatever the code did, being rendered to the user's browser. The code in the file could allow a user to traverse each drive on the server, view or download documents, gain access to sensitive information, such as usernames, passwords, database connection strings, etc. The code in the file could also attempt to gain command shell access, that could allow a malicious user to execute commands on the server.

In summary the primary concern is validation, validation, validation. We, as developers, need to ensure we validate every aspect of a file that is being uploaded. This includes the file extension, the file name, the content-type and lastly the content itself. Doing all of this still doesn't guarantee the file is 100% safe, but it will go a long way in preventing malicious files form being uploaded to our servers. We also need to ensure we aren't storing the files in the web root, because doing so could allow malicious users to directly request the files in their browser, thus potentially exposing sensitive information. Finally, if we must store the files in the web root we must ensure the folder permissions containing the files do not allow for the execution of script or executable code. Adding these preventive measures will go a long way in ensuring your user's and your server won't be compromised due to malicious file uploads.

 

Feedback Comments

Feedback

SharePoint Web Parts


All Data Springs Web Parts Support WSS 3.0, SharePoint 2007, and SharePoint 2010 Frameworks

Please select license option for each web part you wish to purchase. We highly recommend the SharePoint Bundle to get all Data Springs Web Parts for maximum value!

 

 

      
Cart


Data Springs Sharepoint Bundle

Best Value! The Bundle gives you all 5 web parts in one package at a very attractive price! Best Value! We think you will be very happy with the SharePoint bundle and great price discounts you will receive. With your purchase all of the web parts below will be included.
 
 
 
 

Random Image Web Part

With Random Image for Sharepoint 2007, you can select multiple images to display randomly when the web part loads...
 
 
 
 

Stock Quote Web Part

Giving your site visitors relevant information is critical. With the Data Springs Stock Web Part you can provide your users with up to date financial information
 
 
 
 

Dynamic Image Rotator Web Part

Who would have thought? Adobe Flash® with Sharepoint! The FIRST and ONLY image rotation web part for Sharepoint using Flash Technology from Adobe! The Dynamic Image Rotator displays selected images and then rotates between the images. Several extended and optional features allow you to select the time to rotate each image, fade between
 
 
 
 

SharePoint Charts Web Part

The MOSS Chart Web Part is a web part built by Data Springs for the purpose of rendering several chart types based on data from a SharePoint list on a MOSS 2007 or WSS 3.0 Site
 
 
 
 

Dynamic News Ticker Web Part

Provide current news items with a user-friendly news ticker for your Sharepoint Portal. With millions of web sites offering information you need a fun way to display information and the solution is Flash News Ticker....
 
 
 
 

Tailored Text Web Part

 Tailored Text Web Part allows you to add text/html to your web site that can be different for anonymous users, registered users,  and even individual users specifically.

 
 
 
 

Dynamic Views Web Part

Dynamic Views is an excellent tool to:
Personalization allows you to go the extra mile in communicating or connecting one to one with your clients. When it comes to technology and web site content, you now have the power to leverage this personalization directly with your users on your DotNetNuke® site

 
 
 
 

Dynamic Login Web Part

Your site content isn't vanilla, so why is your portal's login?

Add pizazz and functionality with Dynamic Login! Use custom templates, localization, redirection rules for various roles and many more features!
 
 
 
 


 
 

Join our mailing list...

Get current news and events the easy way
 
 
   
Subscribe Me

Recent Blogs...

 
Copyright 2005 - 2011 by Data Springs, Inc.