C# malicious file upload to server

Question

I was joking around with some file-uploads to the server, for the site I was working on. Now it seems to me that we have an enormous security-risk.

They don't block any file extensions that are executable and the files are just uploaded to the D:\ Drive. It seems to me this is not really secure.

How can I convince my co-workers we need to adress this problem immediately, and in what ways can we be more secure against malicious file uploading.

The ones I've heard of are:

• Save into App_Data (Don't really knwo why)
• Block executable extensions

What else must we be more carefull about?

Answer 1

If the files are upload only and there is no way to execute them then this is not a high risk vulnerability. It is good practice to also set the Content-Disposition header, as this will force a download and prevent XSS vulnerabilities if HTML or SVG is uploaded. See here for a demo (click this HTML in the second paragraph).

However, being able to upload malware to a system is never a good thing.

The App_Data folder is being suggested as this isn't readable through an ASP.NET serving IIS server.

e.g. example.com/App_Data/virus.bat will return an HTTP 403 Forbidden. Therefore it is a good place to store files as they are not directly publically executable or viewable.

To mitigate the malware threat to server administrators and those with access to the file system, you should virus scan all uploaded files and only allow a whitelist of safe extensions to be uploaded. e.g. .txt, .gif, .jpg. Do not rely on MIME types if the files are saved with the original names as the target system will take extension to determine how to handle them.

Blacklisting is difficult due to the number of executable extensions, which is always changing as new file types are designed.

Another vulnerability that may affect availability or integrity of the application is if other users can overwrite already existing files. Ensure that this is not the case and users cannot do anything malicious using this vector.

Also you should ensure a user cannot upload a file called c:\autoexec.bat, ..\index.aspx or the like to cause your system to write the file somewhere else other than intended. This is known as directory traversal and some other possible character sequences are here.

Finally, for more info check out OWASP.

Answer 2

It is a good idea to restrict the files that can be uploaded. I assume the Uitdraai leerlingvolgsysteem is always the same file format, such as PDF. In such a case you can perform the following checks:

• Check the file extension. Does the file name end in .pdf?
• Check the file format. Does the file start with %PDF?

You could also check for a virus using a virus scanner, but this would practically never detect a targetted attack.

Another important thing is how the uploads are handled after they are uploaded. You have currently not included that information in your question, which makes it hard to speculate about this.

The files that are uploaded here are presumably checked by a person at some point. What that person does with the file determines the impact of a malicious upload. If she only opens these files in notepad, nothing bad can happen. If she doubleclick everything anyone sends her, then you may be in trouble.