RE: (IIS) Customer file uploads - restrictions of file types
We are getting requests from our customers to upload files to a password secured area of our site so they can share them with other users from their company, as well as with our internal people. The intent is for files like Excel, Word, and Powerpoint documents. Some of the restrictions we need to do are pretty straightforward, like who can upload, who can delete, total file size, etc., but what pitfalls do I need to watch out for from a server security standpoint? We are on IIS 4.0, Windows NT 4.0 SP5, CF4.5 ENT, with plans to go to Win2000. Is it as simple as restricting certain executable file types? Rather than focusing on specific file types, which may be a losing battle, you might simply make the directory itself safe. 1. Put it outside the web server document root. This way, the web server itself won't be able to execute anything in there. 2. Only allow read and write rights within the directory. Remove execute rights from ALL users! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: (IIS) Customer file uploads - restrictions of file types
I'm sure I'm missing something really easy . . . if I take an uploaded file from the customer and put it into a directory outside the web server root, how do I give the customer access to that file in the future? The idea behind this app is sharing of files. Do I cfcontent it with the mime type based on the file extension? Or, thinking hard now, someone mentioned an application/unknown mime type? Would that be my answer? Hmmm, off to test this. Better and previously thunk answers accepted gladly. :) Dan -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 30, 2000 6:29 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: (IIS) Customer file uploads - restrictions of file types We are getting requests from our customers to upload files to a password secured area of our site so they can share them with other users from their company, as well as with our internal people. The intent is for files like Excel, Word, and Powerpoint documents. Some of the restrictions we need to do are pretty straightforward, like who can upload, who can delete, total file size, etc., but what pitfalls do I need to watch out for from a server security standpoint? We are on IIS 4.0, Windows NT 4.0 SP5, CF4.5 ENT, with plans to go to Win2000. Is it as simple as restricting certain executable file types? Rather than focusing on specific file types, which may be a losing battle, you might simply make the directory itself safe. 1. Put it outside the web server document root. This way, the web server itself won't be able to execute anything in there. 2. Only allow read and write rights within the directory. Remove execute rights from ALL users! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: (IIS) Customer file uploads - restrictions of file types
I'm sure I'm missing something really easy . . . if I take an uploaded file from the customer and put it into a directory outside the web server root, how do I give the customer access to that file in the future? The idea behind this app is sharing of files. You'd use the CFCONTENT tag to retrieve the file from the directory and return it to the browser. You'd store information about the file (such as the file name) in your database, and you'd use that information to retrieve the file as desired. Do I cfcontent it with the mime type based on the file extension? Or, thinking hard now, someone mentioned an application/unknown mime type? Would that be my answer? This depends on what you want to have happen. If you want all files, when selected, to prompt the user to save them to disk, you'd use the application/unknown MIME type. If, on the other hand, you want the browser to decide what the appropriate action is, you'd use the MIME type appropriate to each file. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: (IIS) Customer file uploads - restrictions of file types
One security aspect you need to evaluate is discussed on Bugtraq @: http://www.ntbugtraq.com/default.asp?pid=36sid=1A2=ind9809L=NTBUGTRAQP=R 2454 It deals with the default upload directory being c:\winnt -- Rich Wild Senior Web Designer --- e-mango.com ltd Tel: 01202 587 400 Lansdowne Place Fax: 01202 587 401 17 Holdenhurst Road Bournemouth Mailto:[EMAIL PROTECTED] BH8 8EW, UK http://www.e-mango.com --- This message may contain information which is legally privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. Such notification notwithstanding, any comments, opinions, information or conclusions expressed in this message are those of the originator, not of e-mango.com ltd, unless otherwise explicitly and independently indicated by an authorised representative of e-mango.com ltd. --- -Original Message- From: Dan Haley [mailto:[EMAIL PROTECTED]] Sent: 10 August 2000 18:43 To: '[EMAIL PROTECTED]' Subject: (IIS) Customer file uploads - restrictions of file types We are getting requests from our customers to upload files to a password secured area of our site so they can share them with other users from their company, as well as with our internal people. The intent is for files like Excel, Word, and Powerpoint documents. Some of the restrictions we need to do are pretty straightforward, like who can upload, who can delete, total file size, etc., but what pitfalls do I need to watch out for from a server security standpoint? We are on IIS 4.0, Windows NT 4.0 SP5, CF4.5 ENT, with plans to go to Win2000. Is it as simple as restricting certain executable file types? All advice is truly appreciated . . . unless Dave Watts sends me more code from our site . . . whoops . . . :) Thanks, Dan -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
