In my web i have "image" folder that allow users to upload images in simple method. I want to prevent them from running (executing) this files, so people will not be able to upload flase "jpg" and then run it throw HTTP. I couldn't find the right security
setting for this folder, since if i uncheck "execute" the "read" become unchecked... can't i read the files but not execute them in one folder?
Hi, not sure if I understood you 100%, but one way to prevent users from browsing to a specifc folder via URL is to do deny access to that specific path via the web.config.
to dev- does this solution able me to show the image? thus is my problem- i want to shoe (read) the images files and prevent executing.
to "kepp it simple", well, a simp[le hacker can just change the file extention from "dll" or "exe" to jpg and the file uploader will not recognize the change. how ever, i don't use fileuploader, i use ajax to upload the file.
Firstly, even if you uploaded an exe disguised as a jpg. You still would not be able to execute it.
i.e. An exe called Dangerous.exe is renamed and successfully uploaded as Dangerous.jpg. I'm not sure how a hacker would be able to execute it, since hitting the URL, like http://mysite/uploaded/Dangerous.jpg, would NOT excecute
the exe, but would probably try to display the file, which eventually, which would show up as a corrupted image (with that red x).
But since I'm not a hacker and might be naiive as to think your site is safe, here is an option.
Check the MIME type of of the file and delete if needed (Perhaps you'd even be able to do this before the upload?). This method below shows how to check a file's MIME type NOT by extension, but rather by reading the header of the file. i.e. the file uploaded
as Dangerous.jpg would have a mime type of application/exe, instead of the type you're looking for image/jpeg.
This is a much better way than trying to do it with security, since you can simply deny / delete the unwanted files from the server instead of having them on the server hoping to block people from getting access to them.
yanivhanya
Participant
1155 Points
323 Posts
preventing from exe to run in a image folder
Dec 04, 2012 10:10 AM|LINK
In my web i have "image" folder that allow users to upload images in simple method. I want to prevent them from running (executing) this files, so people will not be able to upload flase "jpg" and then run it throw HTTP. I couldn't find the right security setting for this folder, since if i uncheck "execute" the "read" become unchecked... can't i read the files but not execute them in one folder?
dev_2580
Member
456 Points
79 Posts
Re: preventing from exe to run in a image folder
Dec 04, 2012 10:46 AM|LINK
Hi, not sure if I understood you 100%, but one way to prevent users from browsing to a specifc folder via URL is to do deny access to that specific path via the web.config.
<location path="YourPath/ImageFolder"> <system.webServer> <directoryBrowse enabled="false" /> </system.webServer> </location>This article may help you as well http://stackoverflow.com/questions/3776847/how-to-restrict-folder-access-in-asp-net
Good luck
--- Grace ties up all the loose ends and suddenly everything makes sense ---
Keep it Simp...
Member
549 Points
264 Posts
Re: preventing from exe to run in a image folder
Dec 05, 2012 05:37 AM|LINK
In C# or VB.NET and the file upload control, you can check the file extension the user is uploading and restrict it to jpg, jpeg, or gif.
If the file extension is anything else, delete the file immediately in code.
yanivhanya
Participant
1155 Points
323 Posts
Re: preventing from exe to run in a image folder
Dec 06, 2012 07:44 AM|LINK
to dev- does this solution able me to show the image? thus is my problem- i want to shoe (read) the images files and prevent executing.
to "kepp it simple", well, a simp[le hacker can just change the file extention from "dll" or "exe" to jpg and the file uploader will not recognize the change. how ever, i don't use fileuploader, i use ajax to upload the file.
dev_2580
Member
456 Points
79 Posts
Re: preventing from exe to run in a image folder
Dec 06, 2012 08:48 AM|LINK
Firstly, even if you uploaded an exe disguised as a jpg. You still would not be able to execute it.
i.e. An exe called Dangerous.exe is renamed and successfully uploaded as Dangerous.jpg. I'm not sure how a hacker would be able to execute it, since hitting the URL, like http://mysite/uploaded/Dangerous.jpg, would NOT excecute the exe, but would probably try to display the file, which eventually, which would show up as a corrupted image (with that red x).
But since I'm not a hacker and might be naiive as to think your site is safe, here is an option.
Check the MIME type of of the file and delete if needed (Perhaps you'd even be able to do this before the upload?). This method below shows how to check a file's MIME type NOT by extension, but rather by reading the header of the file. i.e. the file uploaded as Dangerous.jpg would have a mime type of application/exe, instead of the type you're looking for image/jpeg.
private static bool IsValidImage(string filePath) { Stream imageStream = new FileStream(filePath, FileMode.Open, FileAccess.Read); if(imageStream.Length > 0) { byte[] header = new byte[4]; // Change size if needed. string[] imageHeaders = new[]{ "\xFF\xD8", // JPEG "BM", // BMP "GIF", // GIF Encoding.ASCII.GetString(new byte[]{137, 80, 78, 71})}; // PNG imageStream.Read(header, 0, header.Length); bool isImageHeader = imageHeaders.Count(str => Encoding.ASCII.GetString(header).StartsWith(str)) > 0; if (isImageHeader == true) { try { Image.FromStream(imageStream).Dispose(); imageStream.Close(); return true; } catch { } } } imageStream.Close(); return false; }This is a much better way than trying to do it with security, since you can simply deny / delete the unwanted files from the server instead of having them on the server hoping to block people from getting access to them.
The method above is not my own work, but comes from another post http://forums.asp.net/t/1710878.aspx/1 (can't take credit for this
--- Grace ties up all the loose ends and suddenly everything makes sense ---