"chuckdfoster" <chuckdfos***@hotmail.com> wrote in message
news:%23hzfVBmVFHA.2960@TK2MSFTNGP15.phx.gbl...
>I am developing an ASP.NET site where an site administrator can upload
>files
> via ASP.NET into a Documents folder.  These documents are then viewed by
> site users.  I used the MS KB article
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323245 to learn
> how
> to do this.
>
> Is there a security issue with this.  If you are giving the ASPNET account
> Read & Execute, List Folder Contents, Read, and Write permissions, then
> could they not upload a script and then surf to the location of that
> script
> to execute it?
>
> Thanks for your knowledge in advance
>
> --
> Chuck Foster
> Programmer Analyst
> Eclipsys Corporation - St. Vincent Health System
>
>

"Kevin Spencer" <kevin@DIESPAMMERSDIEtakempis.com> wrote in message
news:OPNqdPmVFHA.2196@TK2MSFTNGP09.phx.gbl...
> > Is there a security issue with this.  If you are giving the ASPNET
account
> > Read & Execute, List Folder Contents, Read, and Write permissions, then
> > could they not upload a script and then surf to the location of that
> > script
> > to execute it?
>
> Excellent question, Chuck. Assuming that you have the proper security to
> prevent any unauthorized users from doing such a thing, such as requiring
a
> Windows logon to access the site (disallow anonymous access), you
shouldn't
> have a problem there. HOWEVER, you may have another issue. When I was in
the
> military, picking beans in Guatemala (just kidding about Guatmela - that's
> from The Usual Suspects), we often had issues with Word documents emailed
> from one officer to another. Seems one officer would pick up a virus on
> their machine, the virus would propogate to their Word docs, and they
would
> then ignorantly email the docs to one another. You should have some sort
of
> virus protection in the loop somewhere to prevent this sort of thing.
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> .Net Developer
> What You Seek Is What You Get.
>
> "chuckdfoster" <chuckdfos***@hotmail.com> wrote in message
> news:%23hzfVBmVFHA.2960@TK2MSFTNGP15.phx.gbl...
> >I am developing an ASP.NET site where an site administrator can upload
> >files
> > via ASP.NET into a Documents folder.  These documents are then viewed by
> > site users.  I used the MS KB article
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;323245 to learn
> > how
> > to do this.
> >
> > Is there a security issue with this.  If you are giving the ASPNET
account
> > Read & Execute, List Folder Contents, Read, and Write permissions, then
> > could they not upload a script and then surf to the location of that
> > script
> > to execute it?
> >
> > Thanks for your knowledge in advance
> >
> > --
> > Chuck Foster
> > Programmer Analyst
> > Eclipsys Corporation - St. Vincent Health System
> >
> >
>
>

"WJ" <JohnWe***@HotMail.Com> wrote in message
news:%23CbaVSmVFHA.2124@TK2MSFTNGP14.phx.gbl...
>
> "chuckdfoster" <chuckdfos***@hotmail.com> wrote in message
> news:%23hzfVBmVFHA.2960@TK2MSFTNGP15.phx.gbl...
> >
> > Is there a security issue with this.  If you are giving the ASPNET
account
> > Read & Execute, List Folder Contents, Read, and Write permissions, then
> > could they not upload a script and then surf to the location of that
> > script
> > to execute it?
> >
>
> It depends on what type of file your site accepts: Generally, at the time
of
> upload, a file extension (.exe, .vbs, .com, .bat, .cmd and so on) can be
> checked to prevent being executed. By giving "Execute" privilege to any
> IIS-Account such as ASPNET, yes, you introduce risk to your site.
>
> To prevent data from being stolen, one secure way is to store the files
> inside an RDBMS such as MS/SQL Server or Oracle, again, depend on how
> sensitive your files are to your company and your custommers. You must
also
> be aware that loose files cannot be protected by Asp.Net application.
>
> John
>
>

"WJ" <JohnWe***@HotMail.Com> wrote in message news:<#zrDtM$VFHA.2196@TK2MSFTNGP09.phx.gbl>...
> "chuckdfoster" <chuckdfos***@hotmail.com> wrote in message
> news:%23ZOxFWvVFHA.2424@TK2MSFTNGP10.phx.gbl...
> > Thanks for your help.  How do you specify the types of files that can be
> > uploaded?
> >
>
> I never do this in Web. But in Windows Form, there is a FileDialog control.
> There may be some 3rd party that provide this type of web control which I am
> not aware of. However, in Web form, you can still inspect the HtmlInputFile
> control by doing these:
>
>          //***********************************
>          HttpPostedFile hpf=HtmlInputFile.PostedFile;
>          string fn=System.IO.Path.GetFileName(hpf.FileName);
>          if(fn.ToLower().EndWith(".exe"))
>          {
>                 Throw error. Do not allow EXE file....
>          }
>
>          //***********************************
>
> John

> I am developing an ASP.NET site where an site administrator can upload
> files via ASP.NET into a Documents folder.  These documents are then
> viewed by site users.  I used the MS KB article
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323245 to
> learn how to do this.
>
> Is there a security issue with this.  If you are giving the ASPNET
> account Read & Execute, List Folder Contents, Read, and Write
> permissions, then could they not upload a script and then surf to the
> location of that script to execute it?
>
> Thanks for your knowledge in advance
>

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:373786632514478273421136@news.microsoft.com...
> Hello chuckdfoster,
>
> you could remove execute right in IIS from that directory
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > I am developing an ASP.NET site where an site administrator can upload
> > files via ASP.NET into a Documents folder.  These documents are then
> > viewed by site users.  I used the MS KB article
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;323245 to
> > learn how to do this.
> >
> > Is there a security issue with this.  If you are giving the ASPNET
> > account Read & Execute, List Folder Contents, Read, and Write
> > permissions, then could they not upload a script and then surf to the
> > location of that script to execute it?
> >
> > Thanks for your knowledge in advance
> >
>
>
>