file share app

Imar · February 7th, 2010, 05:20 PM

Exe files may be tricky at first, but thanks to ASPX files, they become much easier to execute.

Consider this ASPX file:

Code:

 
<%
  protected void Page_Load(object sender, EventArgs e)
  {
    Response.Write("Hello World");
  }
%>

Imagine I upload that file as Test.aspx, and you store it in the Uploads folder.

Requesting www.domainname.com/Uploads/Test.aspx *executes* that page and does everything I have coded in it (limited by the system permissions). In this example, it just writes an innocent message on the screen. Now, consider this:

Code:

 
<%
  protected void Page_Load(object sender, EventArgs e)
  {
    Process.Start("MyScaryExeIJustUploadedInTheSameUploadsFolder.exe");
  }
%>

Ooops, not so innocent now. Once you get here, it's pretty much game over if your security strategy is not in place. I can start FTP-ing files to a web accessible location, access your database, format drives and do pretty much anything I want, provided the security settings let me.

Clearly, the scope of the damage is limited by the permissions of the web server account.

This is not a hypothetical attack. This stuff happens. I have seen ASPX pages being uploaded to badly protected servers with this kind of code in them. Quite user friendly pages, in fact, with handy "Click to view files on the file system", "click to access the database" and so on. Very useful, until it's your own server, and someone else pressing those buttons....

I wouldn't "block" bad files; I would only allow good files. That's why the Upload pages in the Photo Album section of Planet Wrox only accepts JPG files.

Scary world, he? ;-)

Cheers,

Imar

Fed · February 11th, 2010, 01:04 PM

Thanks Imar as usual you put things in perspective :) Does this apply to MS Word, Excel and others that have macros enabled?

I applied some mods to the code so it does some more inclusive and user friendly error checking but I'm stumped when it comes to inserting a variable in the error message, could you clue me in? Here's the code where I would like to add what the "not allowed" file type is.

[ASPX code]
<asp:CustomValidator ID="CustomValidator1" runat="server"
ErrorMessage="File type not allowed">*</asp:CustomValidator>

[VB code]
If FileUpload1.FileName <> "" And FileUpload1.FileName.ToLower().EndsWith(".txt") _
Or FileUpload1.FileName.ToLower().EndsWith(".pdf") _
Or FileUpload1.FileName.ToLower().EndsWith(".doc") Then
'upload the file to the server...
FileUpload1.SaveAs(Config.ShareLocalFolderPath _
+ FileUpload1.FileName)
...
...
....

End If
Dim CustomValidator1 As CustomValidator = (FileUpload1.FindControl("CustomValidator1"))
CustomValidator1.IsValid = False
[/code]

The above code outputs the generic message File type is not valid and I would like to make more user friendly by saying File type .docx not valid but I don't have a clue as to how, could you please give me a hint?

Thanks

Fed

Imar · February 12th, 2010, 03:45 AM

Probabaly not as you need Word on the server to execute them which is typically not the case,

The sender argument of the custom validation method is of type CustomValidator. This means you should be able to change its message. I typed the following directly in this message so it may not compile, but something like this should work:

Code:

ASPX code]
<asp:CustomValidator ID="CustomValidator1" runat="server" 
ErrorMessage="File type {0} not allowed">*</asp:CustomValidator>

Code:

VB Code
' Your validation here
Dim myValidator As CustomValidator = TryCast(sender, CustomValidator)
If myValidator IsNot Nothing Then
  Dim ext As String = System.IO.Path.GetExtension(FileUpload1.FileName)
  myValidator.ErrorMessage = String.Format(myValidator.ErrorMessage, ext)
End If

If this only seems to work the first time, try disabling EnableViewState on the validation control.

Hope this helps,

Imar

Fed · February 13th, 2010, 02:41 PM

Thanks Imar,

I got it to work by changing it so;

Code:

Dim CustomValidator1 As CustomValidator = (FileUpload1.FindControl("CustomValidator1"))
        CustomValidator1.IsValid = False
        If CustomValidator1 IsNot Nothing Then
            Dim ext As String = System.IO.Path.GetExtension(FileUpload1.FileName)
            CustomValidator1.ErrorMessage = String.Format(CustomValidator1.ErrorMessage, ext)
        End If

I changed myValidator to CustomValidator1

I replaced "TryCast(sender, CustomValidator)" with "(FileUpload1.FindControl("CustomValidator1")) " because CustomValidator1 was always "nothing" and I would get an exception.

Then I had to add " CustomValidator1.IsValid = False" otherwise the error message would not display.

And finally I did disable "EnableViewState" because it was working every other iteration.

I wanted to know why because I figured it out by stepping into the code and trying the various possibilities, not because I really understand.

Imar · February 13th, 2010, 02:54 PM

And what object was sender?

Imar

Fed · February 13th, 2010, 04:54 PM

LOL! I guess 'sender' was a place holder for an object huh?

Imar · February 13th, 2010, 05:27 PM

Lol?? Heuh??

Sender is the first parameter of your custom validation method, provided you're handling OnServerValidate....

Imar

Fed · February 13th, 2010, 06:11 PM

I'm not using OnServerValidate but I understand now;)

Thanks

Imar · February 13th, 2010, 06:15 PM

If you did, my code would work, and sender would hold a reference to the validator. Why are you not using it? It's designed exactly for this task...

Cheers,

Imar

Fed · February 13th, 2010, 07:06 PM

Because I just jumped in to the app share and just wanted to modify the existing code with my limited knowledge. Herer it is in its entirety;

Code:

 <td><h2>2.</h2></td>
        <td style="width: 23px">
        </td>
        <td>
        Select File to Send (Up to 1 GB):
    <br />
    <asp:FileUpload ID="FileUpload1" runat="server" Width="386px" /><br />
    <br />
        </td>
        <td>
            <asp:RequiredFieldValidator ID="RequiredFieldValidator3" runat="server" 
                ErrorMessage="Please Select File to Send using the 'Browse' button" 
                ControlToValidate="FileUpload1" Display="Dynamic">*</asp:RequiredFieldValidator>
            <asp:CustomValidator ID="CustomValidator1" runat="server" 
                ErrorMessage="File type {0} not allowed" EnableViewState="False">*</asp:CustomValidator>
        </td>
    </tr>

Code:

 Protected Sub btnSend_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnSend.Click
        If FileUpload1.FileName <> "" And FileUpload1.FileName.ToLower().EndsWith(".txt") _
            Or FileUpload1.FileName.ToLower().EndsWith(".pdf") _
            Or FileUpload1.FileName.ToLower().EndsWith(".doc") Then
            'upload the file to the server...
            FileUpload1.SaveAs(Config.ShareLocalFolderPath _
                + FileUpload1.FileName)
            'save the info to the database...
            Dim ResourceID As Integer = Resource.SaveResource( _
                FileUpload1.FileName, txtSenderEmail.Text, _
                txtRecipientEmail.Text, txtMessage.Text)
            'get the body of the email message...S
            Dim emailBody As String = Resource.GetEmailBody( _
                txtMessage.Text, ResourceID, txtSenderEmail.Text, _
                txtRecipientEmail.Text)
            'send an email to the recipient...
            Utilities.SendEmail(txtRecipientEmail.Text, _
                txtSenderEmail.Text, Config.EmailSubject, emailBody)
            Server.Transfer("UploadComplete.aspx", True)
        End If
        ' Your validation here
        'Dim myValidator As CustomValidator = TryCast(sender, CustomValidator)
        Dim CustomValidator1 As CustomValidator = (FileUpload1.FindControl("CustomValidator1"))
        CustomValidator1.IsValid = False
        If CustomValidator1 IsNot Nothing Then
            Dim ext As String = System.IO.Path.GetExtension(FileUpload1.FileName)
            CustomValidator1.ErrorMessage = String.Format(CustomValidator1.ErrorMessage, ext)
        End If

        'Dim CustomValidator1 As CustomValidator = (FileUpload1.FindControl("CustomValidator1"))
        'CustomValidator1.IsValid = False
    End Sub

As you can see from above I just pasted your code as is then figured it out by trial and error. I'm sorry to say that the past 20 years I spent coding RPG on AS/400s is not helping me at all to grasp the concepts of VB and ASP...

Fed