|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Crashing IIShi,
I have a simple question. I am using vbscript on a site to get users to upload pictures to my site view them on the site. my vbscript basically checks the extension of the file and if the file is either jpg, jpeg or gif it allows the upload. my question is, is it possible for someone to write a code change the extension of the file to jpg or have a double extension (filename.vbs.jpg), upload the file to my webserver and have the code execute on my server, crashing it. Thanks Yes. Is your vbscript running on the client-side? It's trivial for the end
user to defeat client-side controls. Never trust client input. Always validate it on the server. Chris Show quoteHide quote "public32" <publi***@discussions.microsoft.com> wrote in message news:1FA4347D-0CB5-4A0D-94FF-AF8E0E39D7C7@microsoft.com... > hi, > I have a simple question. I am using vbscript on a site to get users to > upload pictures to my site view them on the site. my vbscript basically > checks the extension of the file and if the file is either jpg, jpeg or > gif > it allows the upload. my question is, is it possible for someone to write > a > code change the extension of the file to jpg or have a double extension > (filename.vbs.jpg), upload the file to my webserver and have the code > execute > on my server, crashing it. > > Thanks 
Other interesting topics
Getting prompted on IIS web
IIS 6 Integrated Authentication and IE 6 - security credentials seem to not get passed from browser Anonymous access Anonymous access Vulnerabilities W2003 SP1 - IIS CRL Check What is HTTP compression ? Executables won't run in IIS 5.1 on XP pro IIS and .NET State IE browser "NO COOKIES" is ignored for 1 site; works for another; same scripts (Cross-posted to inet Passing credentials from IIS to another resource |
|||||||||||||||||||||||
