Click here to Skip to main content
15,907,497 members
Search within:


ASP.net File uploader check exe files
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
ASP.NET
I have a uploader in aspx page
i have done validations for valid files such as .gif,.jpg, etc.....

but if i changes the extension of a file for example if someone wants to upload exe files and changes its extension to .gif then the file uploader uploads it...
how can i prevent these sorts of attacks by using file uploader ???
Posted
Add a Solution

2 solutions

You are perfectly right. You can't belie in what is sent from client side. You have to check for yourself. What you need is detecting the mime type by the file content. There is a concept called "magic bytes" that is used under linux for example. Under windows I haven't found anything better than urlmon.dll (part of Internet Explorer), that you can call via p/invoke[^]. Although the list of known types[^] is not that long, it can be enough in your case.

This could be also interesting: http://www.netomatix.com/Products/DocumentManagement/MimeDetector.aspx[^]
 
Share this answer
 
Posted
Updated 26-Jun-13 2:59am
v2
Hi,
One way of Doing :
C#
const int ERROR_BAD_EXE_FORMAT = 193;
            try
            {
                ProcessStartInfo psi = new ProcessStartInfo();
                psi.UseShellExecute = false;
                //psi.FileName = @"C:\\Region.xml";
                psi.FileName = @"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe";
                Process.Start(psi);
            }
            catch (Win32Exception ex)
            {
                if (ex.NativeErrorCode == ERROR_BAD_EXE_FORMAT)
                {
                    // The exception message would be
                    // "The specified executable is not a valid application for this OS platform."
                    //
                    Console.WriteLine("Not a valid executable.");
                }
                else
                {
                    throw;
                }
            }
 
Share this answer
 
Posted
Comments
Zoltán Zörgő 26-Jun-13 9:05am    
Worst idea I ever heard! You really think it is wise to start an executable just to check if it is executable or not? Especially when trying to avoid attacks... Man, you opened a biiiiig portal in OP's application.
praks_1 27-Jun-13 1:05am    
I said this is one way and not the best what u have suggested MimeDetector????? what so great it is!!!!!!!!!!!!!!!
Zoltán Zörgő 27-Jun-13 14:27pm    
But this one is no option at all. It would be a built-in security hole, nothing more.
But the idea could be used in the opposite direction: since the OP wants to check if the uploaded file is an image; thus one can try to create an image object from the file. If the that succeeds, it can be treated as image. Might not be the best, but could work.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How to restrict exe file upload in ASP.NET file upload control
Unable to upload large file using webclient class in the ASP.NET C# web application
ASP.NET file upload
check file size before upload
Check Condition While Uploading file
Check Uploaded Image Color in Asp.net
Upload Large Video file in asp.net
How to Upload pdf file and check if it s pdf file or not?
How to replace/ update existing uploaded entries in excel file ASP.NET
file upload in asp.net

Advertise
Privacy
Cookies
Terms of Use
Last Updated 26 Jun 2013
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-05-28:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900