Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C# ASP.NET
I have a uploader in aspx page
i have done validations for valid files such as .gif,.jpg, etc.....
 
but if i changes the extension of a file for example if someone wants to upload exe files and changes its extension to .gif then the file uploader uploads it...
how can i prevent these sorts of attacks by using file uploader ???
Posted 26-Jun-13 3:49am
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

You are perfectly right. You can't belie in what is sent from client side. You have to check for yourself. What you need is detecting the mime type by the file content. There is a concept called "magic bytes" that is used under linux for example. Under windows I haven't found anything better than urlmon.dll (part of Internet Explorer), that you can call via p/invoke[^]. Although the list of known types[^] is not that long, it can be enough in your case.
 
This could be also interesting: http://www.netomatix.com/Products/DocumentManagement/MimeDetector.aspx[^]
  Permalink  
v2
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

Hi,
One way of Doing :
const int ERROR_BAD_EXE_FORMAT = 193;
            try
            {
                ProcessStartInfo psi = new ProcessStartInfo();
                psi.UseShellExecute = false;
                //psi.FileName = @"C:\\Region.xml";
                psi.FileName = @"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe";
                Process.Start(psi);
            }
            catch (Win32Exception ex)
            {
                if (ex.NativeErrorCode == ERROR_BAD_EXE_FORMAT)
                {
                    // The exception message would be
                    // "The specified executable is not a valid application for this OS platform."
                    //
                    Console.WriteLine("Not a valid executable.");
                }
                else
                {
                    throw;
                }
            }
  Permalink  
Comments
Zoltán Zörgő at 26-Jun-13 9:05am
   
Worst idea I ever heard! You really think it is wise to start an executable just to check if it is executable or not? Especially when trying to avoid attacks... Man, you opened a biiiiig portal in OP's application.
praks_1 at 27-Jun-13 1:05am
   
I said this is one way and not the best what u have suggested MimeDetector????? what so great it is!!!!!!!!!!!!!!!
Zoltán Zörgő at 27-Jun-13 14:27pm
   
But this one is no option at all. It would be a built-in security hole, nothing more.
But the idea could be used in the opposite direction: since the OP wants to check if the uploaded file is an image; thus one can try to create an image object from the file. If the that succeeds, it can be treated as image. Might not be the best, but could work.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 BillWoodruff 360
1 Mathew Soji 309
2 DamithSL 225
3 Afzaal Ahmad Zeeshan 202
4 Maciej Los 190
0 OriginalGriff 6,249
1 Sergey Alexandrovich Kryukov 5,853
2 DamithSL 5,183
3 Manas Bhardwaj 4,673
4 Maciej Los 3,865


Advertise | Privacy | Mobile
Web01 | 2.8.1411019.1 | Last Updated 26 Jun 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100