If I allow people to upload GIF or JPG files on my site, is there a technical possibility to upload an executable file disguised as gif or jpg and execute it on my server?
5  1765 
aa wrote: If I allow people to upload GIF or JPG files on my site, is there a
technical possibility to upload an executable file disguised as gif
or jpg and execute it on my server?
I don't see how. Whether or not you are using a third-party component or a
pure asp solution to handle the upload, you are in control over what happens
to the file when it is processed in the server-side page.
I suppose there is a possibility of some type of malware being sent to a
client machine after it's been uploaded to the server (although I may be
wrong about this part).
You may get more details by asking on m.p.inetserver. iis.security. You may
want to do a Google search first. This may be a FAQ.
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Thanks, Bob.
I do not know what exactly is possible for a knowleadgeable hacker.
They make viruses built into email message which, when downloaded, start
doing some things.
This makes me think that one can write a virus camuflaged as a .gif file and
upload it to the server.
If I direct all uploads to a directory with no execution permissions, would
it prevent possible problems?
"Bob Barrows" <re******@NOyah oo.SPAMcom> wrote in message
news:Ov******** ******@tk2msftn gp13.phx.gbl... aa wrote: If I allow people to upload GIF or JPG files on my site, is there a
technical possibility to upload an executable file disguised as gif
or jpg and execute it on my server?
I don't see how. Whether or not you are using a third-party component or a
pure asp solution to handle the upload, you are in control over what
happens to the file when it is processed in the server-side page.
I suppose there is a possibility of some type of malware being sent to a
client machine after it's been uploaded to the server (although I may be
wrong about this part).
You may get more details by asking on m.p.inetserver. iis.security. You may
want to do a Google search first. This may be a FAQ.
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
> They make viruses built into email message which, when downloaded, start doing some things.
These have extensions that the operating system runs arbitrarily, such as
..pif or .scr. Not so with .gif or .jpg.
This makes me think that one can write a virus camuflaged as a .gif file
and upload it to the server.
No, can't really be done, since your operating system already knows what to
do with GIF files. The hacker would first have to alter your machine so
that it treated .GIF extension as something else. And this still wouldn't
affect your server, unless they altered the server that way, gained access
to the file system, and ran it. In which case, they wouldn't need to
disguise anything.
If I direct all uploads to a directory with no execution permissions,
would it prevent possible problems?
No, I assume you are worried about what happens when a user downloads the
file. If you put a file on your web server, anyone who accesses that file
via the web will be viewing it through their browser, or downloading it to
their machine.
--
Aaron Bertrand
SQL Server MVP http://www.aspfaq.com/
You're welcome.
?
Ray at work
<aa> wrote in message news:%2******** *******@tk2msft ngp13.phx.gbl.. . It makes sense, thanks
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: dave |
last post by:
Hello there,
I am at my wit's end ! I have used the following script succesfully to
upload an image to my web space. But what I really want to be able to do is
to update an existing record in a table in MySQL with the path & filename to
the image.
I have successfully uploaded and performed an update query on the database,
but the problem...
|
by: Bob Bedford |
last post by:
I've a page where the user may enter some values and upload some pictures.
Unfortunately, some pictures coming from digital camera are very big, and
take a lot of time for uploading.
I've created a DIV that I show when uploading, but this uses DHTML and
javascript, wich are not available everywhere.
How to do something like:
|
by: Mattias |
last post by:
Hi
I am building a simple database system in MS Access 2002 and would
like to create a command button that upon clicking transfers the
current mdb-file to an ftp-server. Is there a solution for this in MS
Access 2002 or do you have any other suggestions to solve this issue?
// Mattias
|
by: George Durzi |
last post by:
Anyone know of a good file upload control? I don't like using the built in
one because it's unable to maintain state on a refresh.
Thanks!
|
by: SEMIH DEMIR |
last post by:
Sitelerden birinde verilen yabancı kaynakli bir scriptti duzenledim
yanlız birseyin içinden bir turlu cıkamadım işin aslı ilk defa
persistin upload componentini kullanacam yanlız suanki haliyle
verdiği hata şu.Bilen arkadaşlar lütfen yardım edin
Persits.Upload.1 error '800a0020'
The system cannot find the path specified.
...
| | |
by: Bob |
last post by:
Hello everyone !!!
I have a very neat script to download files to the server, the problem is
that it uploads all kind of files, txt, exe, zip,
you name it. I have been trying to add some code but still can't get it to
work. What I would like the script to do is only to allow the jpg, jpeg,
bmp, gif files to be downloaded. Can anyone can give...
|
by: Dev |
last post by:
Hello All,
i am unable to upload file using following code:
chmod("upload", 0777);
move_uploaded_file($_FILES, "./upload/".
$_FILES);
chmod("upload", 0755);
what wrong in this code any one help me.
|
by: Lawrence Krubner |
last post by:
To guard against our users possibly uploading huge files, I've got this
in my php.ini file:
; Maximum size of POST data that PHP will accept.
post_max_size = 10M
On a server running Ubuntu Linux. The PHP version:
root@ldc310:/etc/php5/cli# php -v
|
by: eclipsme |
last post by:
I thought I had this licked, but apparently not.
I have a file upload script that attempts to upload a file to a
directory in the public_html directory - www.domain.com/upload
The permissions for the directory have to be 777 for this to work or
esle it aborts with a permissions error - obviously a problem. The php
script runs as user...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
