Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1173
  • Last Modified:

Giving IIS_IUSR write access to Images folder on my website - is that a good idea?

Hi,
I need to have an upload control on my website so admin users can upload images to site. This is done from a SSL secure admin interface. To make it work I need to give the IIS_IUSR write access rights to the Images folder. Is that a good idea? Can't oversee the security implications.
Is there another way to accomplish this? Preferably without messing with the web.config (impersonate settings).

Any thoughts appreciated. Thanks.
Jens
0
MYTAIR
Asked:
MYTAIR
  • 3
  • 2
  • 2
1 Solution
 
tiago_avizCommented:
If the IIS_IUSR has only write access there on the images folder, the worst that could happen is somebody pasting a malicious .aspx or .asp file and executing it. Some good security measures:

1- control the file extensions that can be uploaded, so the malicious user can't upload .asp or .aspx files for an example.

2- make absolutely sure noone can get to the restricted upload area without authentication

3- Make absolutely sure your server is not prone to Remote file Include and directory traversal attacks

4- On your secure SSL login interface, make sure that after say, three wrong password attempts, the page will be unavailable for the attacker.

These should make your server un-interesting for attacks :)
0
 
bitlaCommented:
I suggest you to install or run a PHP uploader script and give access to the particular web link for that user only.

Just google it
You will find uploader scripts that restricts the file types being uploaded like it will only allow: jpg, png, jpeg etc.,

I am leaving for now if you can find it thats good enough or i will post the link after an hour from now
0
 
MYTAIRAuthor Commented:
Hi Tiago,
Thanks for your reply. 1, 2 and 4 are allready in place.
I don' t know how to implement your third suggestion. How do I make my server not prone to directory traversal attacks and remote file include. Directory browsing is not allowed on the ISS.

Cheers
Jens
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
bitlaCommented:
0
 
tiago_avizCommented:
Item 3 need to be solved on two tiers: first on the server (keep it updated all the time), and on your application.

Directory traversal and remote file include attacks are usually exploited within poorly-coded apps. You can evaluate their security by using tools such as Nessus and Paros Proxy.

If you have security measures 1, 2 and 4 already in place, you're good to go.

Also, a security measure that I adopt to avoid Remote file includes is to block browsing and ftp from the web server.
0
 
MYTAIRAuthor Commented:
Thanks for the help!
0
 
MYTAIRAuthor Commented:
Bitla, thanks for your input, but a flash uploader script was not what I was looking for.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now