Yesterday I released an explanation, walkthrough video, and recommended settings to keep this issue from troubling your servers, and today after extensive further testing have created a universal solution. The original issue as discussed yesterday involves a problem which allows for users to upload files which appear to be safe file types, but are actually ASP Script Files.
Read the post from yesterday to get a full understanding of the magnitude of the issue:
Understand Your Server Security: Microsoft IIS ASP Multiple Extensions Security Bypass
Now, after discussions with a few Host firms regarding the culprit, and their stance on the availability of ASP within their hosted sites, I came up with two basic suggestions. First and foremost, the initial recommendation from yesterday was to block Active Server Pages from executing across the entire IIS instance, however most Host providers will allow ASP to execute, therefore allowing this issue to perpetuate. The reason is that some clients may desire legacy code execution and blocking at a server level would obviously cause issues.
So, the second recommendation actually works out well here, if you want to ask your host to set Script Execution to None at the root of your website, the settings cascades across all the subfolders of the site. You can disable execution at any level of your site structure (or re-enable it on subfolders if you need it for legacy operation). This still stands as a solid recommendation, but it does require access to the server to change the setting.
To once and for all resolve this issue without needing any interaction from your host, I built and supply both the source, and binary for an HttpModule which can be placed into any .Net web.config file.
Media: R2i.Intercept HttpModule Library | Source Code
This binary, once running on the site performs the following steps:
- Before your Application executes code, the HttpModule (r2i.ntercept) is executed
- The HttpModule (r2i.ntercept) first checks to see if the incoming request contains Http Files within the Form post.
- If files are detected, r2i.ntercept loops through the files and checks the associated File Name.
- If the File Name contains ".asp;", the File Input Stream is immediately closed, therefore leaving the file in the form with a zero length.
- Your Application then takes over, if it processes file uploads, the uploaded file will either be safe, and have date, or be unsafe, and have no data.
As you can see, this will resolve the problem, regardless of the code base and the user credentials for uploading. The library simply eliminates the cause of the problem before your site even has to worry about it.
Feel free to grab the provided DLL and Visual Studio 2008 Source Code and use it within your sites to resolve the problem.
Setting the HttpModule up in your site is simple. First extract the R2i.ntercept.DLL from the provided Archive. Then, add the following two settings into your web.config file in the two designated regions:
Within <system.web> <httpModules> include the following:
<add name="Ntercept" type="R2i.ntercept, R2i.ntercept" />
And, within <system.webServer> <modules> include the following:
<add name="Ntercept" type="R2i.ntercept, R2i.ntercept" />
That's it - go ahead to attempt a file upload and notice what happens to the files containing ".asp;" as part of their filename. No more worries!
Within <system.web> <httpModules>
include the following:
<add name="Ntercept" type="R2i.ntercept, R2i.ntercept" />
Within <system.webServer> <modules>
include the following:
<add name="Ntercept" type="R2i.ntercept, R2i.ntercept" />
That's it - go ahead to attempt a file upload and notice what happens to the files containing .asp; as part of their filename. No more
worries!