Re: Best Practices for Impersonation and File Upload?
From: Raterus (raterus_at_spam.org)
Date: 07/13/04
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Best Practices for Impersonation and File Upload?"
- Previous message: Raterus: "Re: Best Practices for Impersonation and File Upload?"
- In reply to: Jed: "Re: Best Practices for Impersonation and File Upload?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 13 Jul 2004 16:29:16 -0400
I wouldn't really consider it that much of a vulnerability, but yes anyone visiting your pages, if they could execute that code, they could upload. Just store the files on a directory outside of your wwwroot, so little hackers can't go http://your.domain.com/upload/somefile.blah, and make sure you code the application correctly enough so only valid users can access the upload code.
--Michael
"Jed" <Jed@discussions.microsoft.com> wrote in message news:A7EBC022-CA3D-4E93-83F8-5D6DB8C7580D@microsoft.com...
> Thanks, Joe,
>
> So, if "Act as part of the OS" is not a good option then what is the recommended approach for uploading files and protecting them once they are there?
>
> It seems like giving the ASPNET user NTFS change permission on a directory in the web site would open up a security vulnerability?
>
> (See my previous posts for further explanation.)
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Best Practices for Impersonation and File Upload?"
- Previous message: Raterus: "Re: Best Practices for Impersonation and File Upload?"
- In reply to: Jed: "Re: Best Practices for Impersonation and File Upload?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
