Click here to Skip to main content
15,888,113 members
Search within:


Security vulnerability: .exe or other malicious must not upload by changing their header and extension .pdf, .doc, .docx, .xls, .xlsx, .jpg, .jpeg, .png etc
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
.NET4.5
MVC5
We have allowed to upload .pdf, .doc, .docx, .xls, .xlsx and images like .jpg, .jpeg, .png files in ASP.net MVC 5 everything working fine but my security team raised security vulnerability. Security team changing the malicious file extension as allowed extensions and changing header with supporting file type header by tool before server hit and file get uploaded on server.

We are finding the solution in asp.net MVC C# but didn't get solution to stop uploading malicious file on server through my asp.net MVC C# application.

What I have tried:

We have used following code and also used winista mime detect but unable to get proper solution. They are not returning proper mime type

C#
public class urlmonMimeDetect
    {
        [DllImport(@"urlmon.dll", CharSet = CharSet.Auto)]
        private extern static System.UInt32 FindMimeFromData(
            System.UInt32 pBC,
            [MarshalAs(UnmanagedType.LPStr)] System.String pwzUrl,
            [MarshalAs(UnmanagedType.LPArray)] byte[] pBuffer,
            System.UInt32 cbSize,
            [MarshalAs(UnmanagedType.LPStr)] System.String pwzMimeProposed,
            System.UInt32 dwMimeFlags,
            out System.UInt32 ppwzMimeOut,
            System.UInt32 dwReserverd
        );

        public static string GetMimeFromFile(Stream fs)
        {

            byte[] buffer = new byte[256];
            fs.Read(buffer, 0, 256);

            try
            {
                System.UInt32 mimetype;
                FindMimeFromData(0, null, buffer, 256, null, 0, out mimetype, 0);
                System.IntPtr mimeTypePtr = new IntPtr(mimetype);
                string mime = Marshal.PtrToStringUni(mimeTypePtr);
                Marshal.FreeCoTaskMem(mimeTypePtr);
                return mime;
            }
            catch (Exception e)
            {
                return "unknown/unknown";
            }
        }
    }
Posted
Updated 11-Feb-21 13:57pm
Add a Solution

2 solutions

Pretty much, you can't. The only way to prevent this is to upload the file, and examine it's binary content. An EXE file always starts with a two byte prefix: .exe - Wikipedia[^] so you can check for those - but since they are ASCII / Unicode characters, it is possible (but unlikely) to get false positives.

Once identified, you can delete the data instead of saving it - but there is no way to do this without uploading the file data first.
 
Share this answer
 
Posted
Just a few thoughts. Had a similar problem.

General Process
1. Upload the file, using the stream data, saved to a temp file as a guid.
2. Check the signature of the file based on its original extension, if any - no reason to hide this right? ;)
3. Match against a signatures table & expected extension.

If allowed, rename, otherwise delete.

For example: search Wikipedia for File Formats and check the magic number section.

With some minor C# code, you could use this as a stand-alone, queued process to take the webserver out of it.
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 11 Feb 2021
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900