3

I have been provided a specification for an enhancement to one of my companies software products to allow extraction of uploaded compression files (just Zip currently) that will save and migrate the inner files into the customers Records Management system.

Our software is .NET 4.5 on IIS 8.5 and I am just wondering if I should be arranging with management to not approve this request. Ive always been taught to treat .Zip files with suspicion, and the fact that I am going to then pass the trust to the computer to extract, look at the files and then move them scares me quite a bit.

Are my concerns just old news in which I shouldn't be worried anymore, and should I be comfortable enough to trust that IIS and .NET ZIP libraries are not going to end up being caught out by executing some sort of remote code, or migrating a virus through the customers network.

The files are usually uploaded to a file system location until moved to the records system, so potentially having an .exe sitting loosely around the system concerns me (although on extraction could remove specific file types). If I just streamed uploads directly into the Records System would this reduce any risk?

Our current product only allows upload of files with the png, pdf, docx and other image based extensions.

Are my concerns legitimate, or should I be trusting IIS and .NET to handle correctly.

I am also finding it extremely difficult to find information based websites that carry information for specific related concerns for specific technologies (IIS, .NET etc.), even OWASP doesn't seem to have specific detailed information. If anyone has any good websites with this kind of information, please provide them.

Thanks,

Cyassin
  • 503
  • 2
  • 6
  • 12

1 Answers1

3

It has nothing much to do with .NET or IIS and make your mind clear about just you are in risk because of using MS products. When you get input from public, of any kind, you should act pessimistic. Check the input and be sure it is of the kind you are expecting. There are two possible situations:

1) You had no mistake in your part but a vulnerability in some library (like zip for example) is exploited by hacker. You can do little about it like using a separate VM which has nothing sensitive on it and in charge for management of received files, extracting and making them available to other parts of system (pulling by other parts is preferred). If VM is not possible keep the process in charge low privilege. So in case of any exploit your concern is just minimizing the damage. Microsoft autoupdates lowers leveraging zero day exploits risk. Your real concern goes to number two.

2) Most important advise for security programming: don't trust user input. Consider SQL injection, XSS, BoF... All happens because of trusting the type , size, format... of user input, so check it and make sure it is what you expect from all aspects. Use an updated antivirus on VM responsible for file management and check archives.

You can recap it as plan A when you do your best to prevent disaster, plan B, damage already happened and you try to minimize its consequences.

Xaqron
  • 306
  • 1
  • 10
  • Thanks, the response are all things I am conscious of, in particular not trusting user input of any form. I'm also not feeling at risk just because I am using MS products it was more a question in relation to if there is known vulnerabilities with those particular technologies with handling the zip and its containing files to be conscious of i.e does using any particular methods to move the files leave me more exposed than others. I feel as if this kind of documentation fails to exist in dev communities, and while I am a very security conscious developer. There is always so many unknowns... – Cyassin Oct 13 '16 at 00:55