[Multiple File Upload] Security of MultiFileUpload in the http Post Request it uses

Forge Component
(49)
Published on 26 Jun by Remco Dekkinga
49 votes
Published on 26 Jun by Remco Dekkinga

In MultiFileUpload aplication (based on FineUploader) how to solve security issues when doing the upload sending the files in the list via http request?

Sure in an intranet or in a portal there is no big issues in using the FineUploader. But what about when the application is on the internet? We can make a request to a https. But how to make a trustworthy relation between the MultiFileUpload application and the server since it sends a simple http Post Request with all the files?

Any hints?


Thank you

Hello Pedro,

Are you referring to the security issues of having the "FileProcessURL" input parameter pointing to the ProcessFiles screen which is anonymous?


...


If so, this is a different problem from the http/https problem you are referring to.

Kind regards,

Márcio Menezes


Yes everyone can send files to that screen (ProcessFiles.aspx) that automatically accepts the files and saves them in the database. I think there should be extra security if this is to be used in the internet. Or when there is no prior validation of the user access.


How the MultiFileUpload handles this issue? How does it guarantee security in that screen?


Regards, and thank you Márcio

OK i understand a solution. If we remove the anonymous only registered user can acess the screen. Ok. Then I can do some grant permission so only users from my server can access that screen and send files.


I will give it a try thank you.

pedro menezes wrote:

OK i understand a solution. If we remove the anonymous only registered user can acess the screen. Ok. Then I can do some grant permission so only users from my server can access that screen and send files.


I will give it a try thank you.


That's a possibility but I recommend you to make a clone of MultipleFileUpload espace because if you by mistake update the component you will lose your changes.


Márcio Menezes

Hello,

"How the MultiFileUpload handles this issue? How does it guarantee security in that screen?"

It does not.

You can use curl to test that:

curl -i -X POST -H "Content-Type: multipart/form-data" -F "data=@yo_file_so_fat_it_will_fill_DB.zip" -F "SessionId=1234" -F "qqsize=-1" https://mmenezes.outsystemscloud.com/MultipleFileUpload/Upload.aspx


 This will, of course, make the server vulnerable to DoS attacks (filling the DB with crap).

On this situation the only thing that is "protecting" the server is the timer that deletes the files that are more than 15 minutes older. The file size is also limited by maxRequestLength of the web config but that does not guarantee security.

To prevent this you could indeed use roles or some kind of short lived token based auth. 

Kind regards,

Márcio Menezes 

Hello Márcio thank you again. I used a role that logs on and stays logged on while session is working. 

Of course the best way would be via webservice but I would had to change a lot since I don't want upload automatically etc... I mixed the original fine uploader code with the MultiFileUpload screen to ProcessFiles. It's working.

And also session variables to hold values to limit file size and number of files uploaded. What do you think? The role and session variables will be use to limit the access. Also I will have captcha etc..


Have a good week, regards