I’m sure you won’t have to take a long time to think of a situation where you need your users to give an ability to upload images and other files to the site for further processing.
Well, here is something to consider when implementing such module.
This one is more applicable to web applications in general rather than SharePoint and I will explain why. It’s quite common for your solution to let user upload files to the server for further processing.
Whether those are images or maybe excel sheet your application needs to perform some work on, there is a potential threat associated with this scenario. In one of the cases I have been involved with, an application was accepting a file from an administrative user. A file was an image that was associated to a business object for further display within a web application. One day, of course, we found out that our system was breached. After a bit of investigation, we realized that someone has uploaded an aspx file instead of a planned image file and executed that script on the server. In this scenario, a file was placed into a directory within web application folder and due to a default security setting the content was executable.
Lesson learned from here is the following:
1. Don’t upload files uploaded by users to a disk unless those files have to be permanently stored, if you need to perform temporary calculation – use object in memory instead.
2. If you need to save uploaded files to a disk – store them in the directory outside of your web application or disable script execution on the directory if it must be in your web application folder.
Hope this helped.
Yaroslav Pentsarskyy
