Solved

Giving IIS_IUSR write access to Images folder on my website - is that a good idea?

Posted on 2011-03-11
7
1,159 Views
Last Modified: 2012-05-11
Hi,
I need to have an upload control on my website so admin users can upload images to site. This is done from a SSL secure admin interface. To make it work I need to give the IIS_IUSR write access rights to the Images folder. Is that a good idea? Can't oversee the security implications.
Is there another way to accomplish this? Preferably without messing with the web.config (impersonate settings).

Any thoughts appreciated. Thanks.
Jens
0
Comment
Question by:MYTAIR
  • 3
  • 2
  • 2
7 Comments
 
LVL 5

Expert Comment

by:tiago_aviz
ID: 35107877
If the IIS_IUSR has only write access there on the images folder, the worst that could happen is somebody pasting a malicious .aspx or .asp file and executing it. Some good security measures:

1- control the file extensions that can be uploaded, so the malicious user can't upload .asp or .aspx files for an example.

2- make absolutely sure noone can get to the restricted upload area without authentication

3- Make absolutely sure your server is not prone to Remote file Include and directory traversal attacks

4- On your secure SSL login interface, make sure that after say, three wrong password attempts, the page will be unavailable for the attacker.

These should make your server un-interesting for attacks :)
0
 
LVL 4

Expert Comment

by:bitla
ID: 35108244
I suggest you to install or run a PHP uploader script and give access to the particular web link for that user only.

Just google it
You will find uploader scripts that restricts the file types being uploaded like it will only allow: jpg, png, jpeg etc.,

I am leaving for now if you can find it thats good enough or i will post the link after an hour from now
0
 

Author Comment

by:MYTAIR
ID: 35108286
Hi Tiago,
Thanks for your reply. 1, 2 and 4 are allready in place.
I don' t know how to implement your third suggestion. How do I make my server not prone to directory traversal attacks and remote file include. Directory browsing is not allowed on the ISS.

Cheers
Jens
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 4

Expert Comment

by:bitla
ID: 35109039
0
 
LVL 5

Accepted Solution

by:
tiago_aviz earned 250 total points
ID: 35110673
Item 3 need to be solved on two tiers: first on the server (keep it updated all the time), and on your application.

Directory traversal and remote file include attacks are usually exploited within poorly-coded apps. You can evaluate their security by using tools such as Nessus and Paros Proxy.

If you have security measures 1, 2 and 4 already in place, you're good to go.

Also, a security measure that I adopt to avoid Remote file includes is to block browsing and ftp from the web server.
0
 

Author Closing Comment

by:MYTAIR
ID: 35111774
Thanks for the help!
0
 

Author Comment

by:MYTAIR
ID: 35111803
Bitla, thanks for your input, but a flash uploader script was not what I was looking for.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question