1

On my website, users can upload static files (typically pictures) in a given folder.

I just saw this post by Scott Hanselman: http://www.hanselman.com/blog/BackToBasicsWhenAllowingUserUploadsDontAllowUploadsToExecuteCode.aspx

He recommends to add this in the web.config file to make sure that nothing can be executed in that folder:

<location path="upload">
    <system.webServer>
        <handlers accessPolicy="Read" />
    </system.webServer>
</location>

This seems to work. As a test I put an .aspx file in the folder in question. If I try to access it I get an "access is denied" error message while I can still access the pictures.

What I don't understand is why the uploader still works? Doesn't it need the Write permission to save the pictures in the folder?

Improve this question

1 Answer 1

Reset to default
1

what is not clear? Here what Hanselman says :

A FIX FOR ARBITRARY CODE EXECUTION IN USER UPLOAD FOLDERS

What was the fix? Well, certainly not allowing someone to upload a file with a .aspx or .php extension for one, but also to mark the entire uploads folder as not executable! Here is the updated web.config:

note the bold text: but also mark the entire uploads folder as not executable....and in effect 

  <handlers accessPolicy="Read" />

it means that cannot execute a page like .php,.aspx and so on.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

"Read" should make the folder only readable but with accessPolicy="Read" it is still possible to save (=to write) files in the folder. That's the question I'm asking: how come it is possible to save files in the folder when its policy has been set to read (only)? Or in other words, what does the "Write" policy do if with the "Read" policy you can write in the folder?
Hi Antony, i'm sorry but i was out. As per my personal experience there's a lot of permissions in IIS read,write,list,modify,read and execute,full permission(which include all permission) and special permission.So i suppose(but i'm not sure) that you have applied only read permission nothing else.Folder are able to write as per iisusr or roles which are enabled instead in that folder you have not the permission to execute any script.And you can find confir here technet.microsoft.com/it-it/library/dd391910(v=ws.10).aspx

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.