How Do I Secure A Folder Used To Let Users Upload Files?
I have a folder in my web server used for the users to upload photos using an ASP page.
Is it safe enough to give IUSR write permissions to the folder? Must I secure something else? I am afraid of hackers bypassing the ASP page and uploading content directly to the folder.
I'm using ASP classic and IIS6 on Windows 2003 Server. The upload is through HTTP, not FTP.
Edit: Changing the question for clarity and changing my answers as comments.
also, I would recommend not to let the users upload into a folder that's accessible from the web. Even the best MIME type detection may fail and you absolutely don't want users to upload, say, an executable disguised as a jpeg in a case where your MIME sniffing fails, but the one in IIS works correctly.
In the PHP world it's even worse, because an attacker could upload a malicious PHP script and later access it via the webserver.
Always, always store the uploaded files in a directory somewhere outside the document root and access them via some accessing-script which does additional sanitizing (and at least explicitly sets a image/whatever MIME type.
- → Keeping uploaded files secure but still available via https
- → Can Cookies be securely sent from one machine to another to access a resource
- → how to build form_ajax() function with data-request-validate attribute
- → How to allow api access to android or ios app only(laravel)?
- → uploading docx via OctoberCms media manager
- → Firebase simple blog (confused with security rules)
- → Lumen HTTP Basic Authentication without use of database
- → OctoberCMS Media Finder. Invalid Security Token
- → Licensing system for client side code web application
- → Content security policy. webcomponent. script src DataURI .Can I override HTTP HEADER by META tag?
- → Laravel 5.1 - Display images stored in Storage folder
- → Laravel Ratchet socket Auth