Re: ASP.NET Uploading Security Issue?

From: Kevin Spencer (kevin_at_DIESPAMMERSDIEtakempis.com)
Date: 05/11/05 

Date: Wed, 11 May 2005 15:58:54 -0400

> Is there a security issue with this. If you are giving the ASPNET account
> Read & Execute, List Folder Contents, Read, and Write permissions, then
> could they not upload a script and then surf to the location of that
> script
> to execute it?

Excellent question, Chuck. Assuming that you have the proper security to
prevent any unauthorized users from doing such a thing, such as requiring a
Windows logon to access the site (disallow anonymous access), you shouldn't
have a problem there. HOWEVER, you may have another issue. When I was in the
military, picking beans in Guatemala (just kidding about Guatmela - that's
from The Usual Suspects), we often had issues with Word documents emailed
from one officer to another. Seems one officer would pick up a virus on
their machine, the virus would propogate to their Word docs, and they would
then ignorantly email the docs to one another. You should have some sort of
virus protection in the loop somewhere to prevent this sort of thing. 

-- 
HTH,
Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.
"chuckdfoster" <chuckdfoster@hotmail.com> wrote in message 
news:%23hzfVBmVFHA.2960@TK2MSFTNGP15.phx.gbl...
>I am developing an ASP.NET site where an site administrator can upload 
>files
> via ASP.NET into a Documents folder.  These documents are then viewed by
> site users.  I used the MS KB article
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323245 to learn 
> how
> to do this.
>
> Is there a security issue with this.  If you are giving the ASPNET account
> Read & Execute, List Folder Contents, Read, and Write permissions, then
> could they not upload a script and then surf to the location of that 
> script
> to execute it?
>
> Thanks for your knowledge in advance
>
> -- 
> Chuck Foster
> Programmer Analyst
> Eclipsys Corporation - St. Vincent Health System
>
>

Relevant Pages

  • Re: Database utilities
    ... text editor and execute using standard OS componenets". ... > I think that perormance is not a typical security matter. ... SQL script and the script is run by the app immediately after each database ...
    (microsoft.public.sqlserver.security)
  • Re: Database utilities
    ... One can write and execute a script like the one below ... The script would not actually be executed by the text editor, ... > databases using database tools and utilities. ... I think that perormance is not a typical security matter. ...
    (microsoft.public.sqlserver.security)
  • [NT] Hosting Controller Multiple Security Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Hosting Controller has a security flaw that allows outside attackers to ... The dsp_newwebadmin.asp script can be executed by typing: ... execute commands via the web browser. ...
    (Securiteam)
  • RE: Worms and CScript/WScript
    ... scripts by removing the NTFS execute permission for users from certain ... security, or use pki technologies to ensure that only authorised scripts are ... >associations between certain _standalone_ WSH script types and the ... then choose 'Install Intercepts' - that's it! ...
    (Incidents)
  • Re: Its COBOL, Jim, but not as we know it...
    ... ActiveX control has no more permissions on your system than a Java ... It is _you_ that has improved the security, ... MicroSoft system of signed authentication which is used by ActiveX controls. ... Microsoft email can automatically execute an attachment. ...
    (comp.lang.cobol)