Skip to content
Advertisement

Server side injection on ASP.NET backend (IIS) by arbitrary file upload

I’m not an expert in cyber security and exploits. I need help figuring out if my app is vulnerable and in what way.

Let’s assume I’m an idiot (and I’m not to this extent), and I leave the possibility for client users to upload (exploiting my front end) any file they want on my server in a subfolder (let’s call it ‘danger’) of my ASP.NET application, hosted on IIS. Being that way, anybody can upload a generic example.hml file and access it back at the url mydomain.com/danger/example.html. They can also upload JS files and whatever they want.

Let’s forget for a moment the fact they can fill my disk.

Given I prevented ASP execution from files in that folder, what kind of damage can I be subjected to?

Thanks in advance.

Answer

Just off the top of my head:

An attacker could upload a corrupted file which would trigger a remote-code execution vulnerability in your antivirus, potentially executing code under the local system account. (I’ve seen this happen with Windows Defender, and I’ve seen reports of similar vulnerabilities in other AV products.)

They could upload a file with a mangled name which exploited a bug in IIS to bypass your file-type checks and the “no execute” flag on the folder. (I’ve seen this reported, albeit in a very old version of IIS.)

If the files can be accessed publicly, they could host their own content on your site, potentially including illegal or malicious content. This could damage your site’s reputation, and potentially leave you liable to prosecution.

Advertisement