Click here to Skip to main content
Rate this: bad
Please Sign up or sign in to vote.
See more: C# ASP.NET
I have a uploader in aspx page
i have done validations for valid files such as .gif,.jpg, etc.....
but if i changes the extension of a file for example if someone wants to upload exe files and changes its extension to .gif then the file uploader uploads it...
how can i prevent these sorts of attacks by using file uploader ???
Posted 26-Jun-13 3:49am
Rate this: bad
Please Sign up or sign in to vote.

Solution 1

You are perfectly right. You can't belie in what is sent from client side. You have to check for yourself. What you need is detecting the mime type by the file content. There is a concept called "magic bytes" that is used under linux for example. Under windows I haven't found anything better than urlmon.dll (part of Internet Explorer), that you can call via p/invoke[^]. Although the list of known types[^] is not that long, it can be enough in your case.
This could be also interesting:[^]
Rate this: bad
Please Sign up or sign in to vote.

Solution 2

One way of Doing :
const int ERROR_BAD_EXE_FORMAT = 193;
                ProcessStartInfo psi = new ProcessStartInfo();
                psi.UseShellExecute = false;
                //psi.FileName = @"C:\\Region.xml";
                psi.FileName = @"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe";
            catch (Win32Exception ex)
                if (ex.NativeErrorCode == ERROR_BAD_EXE_FORMAT)
                    // The exception message would be
                    // "The specified executable is not a valid application for this OS platform."
                    Console.WriteLine("Not a valid executable.");
Zoltán Zörgő at 26-Jun-13 9:05am
Worst idea I ever heard! You really think it is wise to start an executable just to check if it is executable or not? Especially when trying to avoid attacks... Man, you opened a biiiiig portal in OP's application.
praks_1 at 27-Jun-13 1:05am
I said this is one way and not the best what u have suggested MimeDetector????? what so great it is!!!!!!!!!!!!!!!
Zoltán Zörgő at 27-Jun-13 14:27pm
But this one is no option at all. It would be a built-in security hole, nothing more.
But the idea could be used in the opposite direction: since the OP wants to check if the uploaded file is an image; thus one can try to create an image object from the file. If the that succeeds, it can be treated as image. Might not be the best, but could work.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 375
1 Afzaal Ahmad Zeeshan 125
2 Zoltán Zörgő 120
3 DamithSL 100
4 Peter Leow 95
0 enhzflep 40
1 Richard Deeming 25
2 OriginalGriff 10
3 Anddos 10
4 Kornfeld Eliyahu Peter 10

Advertise | Privacy | Mobile
Web04 | 2.8.150224.1 | Last Updated 26 Jun 2013
Copyright © CodeProject, 1999-2015
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100