Click here to Skip to main content
15,943,623 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
We have allowed to upload .pdf, .doc, .docx, .xls, .xlsx and images like .jpg, .jpeg, .png files in MVC 5 everything working fine but my security team raised security vulnerability. Security team changing the malicious file extension as allowed extensions and changing header with supporting file type header by tool before server hit and file get uploaded on server.

We are finding the solution in MVC C# but didn't get solution to stop uploading malicious file on server through my MVC C# application.

What I have tried:

We have used following code and also used winista mime detect but unable to get proper solution. They are not returning proper mime type

public class urlmonMimeDetect
        [DllImport(@"urlmon.dll", CharSet = CharSet.Auto)]
        private extern static System.UInt32 FindMimeFromData(
            System.UInt32 pBC,
            [MarshalAs(UnmanagedType.LPStr)] System.String pwzUrl,
            [MarshalAs(UnmanagedType.LPArray)] byte[] pBuffer,
            System.UInt32 cbSize,
            [MarshalAs(UnmanagedType.LPStr)] System.String pwzMimeProposed,
            System.UInt32 dwMimeFlags,
            out System.UInt32 ppwzMimeOut,
            System.UInt32 dwReserverd

        public static string GetMimeFromFile(Stream fs)

            byte[] buffer = new byte[256];
            fs.Read(buffer, 0, 256);

                System.UInt32 mimetype;
                FindMimeFromData(0, null, buffer, 256, null, 0, out mimetype, 0);
                System.IntPtr mimeTypePtr = new IntPtr(mimetype);
                string mime = Marshal.PtrToStringUni(mimeTypePtr);
                return mime;
            catch (Exception e)
                return "unknown/unknown";
Updated 11-Feb-21 13:57pm

Pretty much, you can't. The only way to prevent this is to upload the file, and examine it's binary content. An EXE file always starts with a two byte prefix: .exe - Wikipedia[^] so you can check for those - but since they are ASCII / Unicode characters, it is possible (but unlikely) to get false positives.

Once identified, you can delete the data instead of saving it - but there is no way to do this without uploading the file data first.
Share this answer
Just a few thoughts. Had a similar problem.

General Process
1. Upload the file, using the stream data, saved to a temp file as a guid.
2. Check the signature of the file based on its original extension, if any - no reason to hide this right? ;)
3. Match against a signatures table & expected extension.

If allowed, rename, otherwise delete.

For example: search Wikipedia for File Formats and check the magic number section.

With some minor C# code, you could use this as a stand-alone, queued process to take the webserver out of it.
Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900