Folder for uploaded files - how could it be hacked

Results 1 to 2 of 2

Thread: Folder for uploaded files - how could it be hacked

  1. #1
    Join Date
    Dec 1969

    Default Folder for uploaded files - how could it be hacked

    This may sound like a dumb question but I&#039;m just trying to get a handle on it from a defensive standpoint of course.<BR><BR>Let&#039;s say a client wants a Web page to upload some pictures to the server. And let&#039;s say that the folder the pictures go into is NOT above the www root (although I know that it would be a good idea to put it above the www root).<BR><BR>In order for the uploading to occur I&#039;ve got to give that folder write permissions.<BR><BR>That&#039;s all fine and works, but my question is what are the security risks? In other words what and how could a malicious user perhaps change the picture files or upload his own files in some way not using my Web page to upload the files as my Web page requires a password, has restrictions, and would not for instance allow uploading an .asp file?<BR><BR>Thanks!<BR>J. Paul Schmidt - ASP Web Developer<BR> - To put live data on the Web...<BR><BR>

  2. #2
    Join Date
    Dec 1969

    Default RE: Folder for uploaded files - how could it be ha

    personally I&#039;d thoroughly validate the file being uploaded - make sure it&#039;s not got an ASP or ASA extension (or any other potentially scriptable extension). as long as there&#039;s no utility for renaming files this should hapily prevent 90% of the problems.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts