OS: Windows
Programming: C#, asp.net
I have a website that has a fileupload control and all the user uploaded files are stored in a folder on the server. This folder is NOT indexable by search engines and not viewable as a url (or file list view). From time to time I get a message from google webmaster tools that this folder has malware. As this folder is for uploading files, I have little control on its contents.
I wonder, there are so many websites out there which allow users to upload files.
What are the best practices.
Any tips to just avoid that Google keeps blacklisting this folder from time to time?
Thanks a lot in advance,
Prasad.
Are the files then referenced in links on your webpage or sitemap.xml? Google will find them afterwards, when indexing pages where the files are referenced.
Did you find the malware files? What file extensions had they? Can you restrict the users to upload only certain (possibly safe) file types?
Related
I know it's been asked and I have read the posts and Googled this all day. Still nowhere near something that works. Using an .aspx page, I need to upload a .pdf file to a specific website. I'm doing development using VS2017 and VB.Net. The app will run on different websites. It needs to upload client files to a specific different website and path. Also, the file name of the uploaded file will not be the same as the local source file. Creating the new name is no problem.
Let's say a local file must be uploaded to a website at https://www.appfileserver.co.za/pdfdocs, but I'm on https://www.myownsite.com. So, when using FileUpload1.SaveAs(rootedpath) the path that goes in there must be the rooted path to the target. What would the rooted path look like for the example I provided?
FYI, I know the IP addresses, http paths and anything else I need to know because I control those sites. It would be great to do an FTP upload. I have done this many times from desktop apps. Unfortunately I'd need the full path to the local file. It seems there is no way a web page is allowed to get that full path, so FTP upload is out - or is there a way?
After battling for two days trying to FTP upload from website to website (which is not possible because server firewalls block this), I finally solved it. The solution was a simple one. I deployed the upload .aspx file on the target server then embedded that in an iframe on the client machine apps. The files are then uploaded one time to the right place. Simple and 100% effective. Hopefully somebody see's this and understands it - so as to avoid the troubles I had.
I need to store pdf files that will keep increasing with time on a folder for my app. But I'm not sure which method is consider 'good practice' between if I should store it in a folder within the project architecture (i.e. inside Content folder) or in a folder outside the app. I tried searching online but most people just mention 'File System' and don't give examples on where do they store it.
So my question is, when people mention storing files on the File System, do they usually mean storing it in a folder inside the app (like Content folder) or do they mean storing it in a folder outside the app?
For example: let's say my apps folders/files are within the container folder: /Container/AppFolder/. Should I store the pdf files on the apps Content folder (i.e. /Container/AppFolder/Content) or should I create a new folder OUTSIDE the apps folders to hold these pdf files? (i.e. /Container/PDFFiles, so basically two folders within the container folder - one folder for the pdf files and the other folder for the app)? Which one is consider a good practice? I have considered just putting these files on the Content folder but as the amount of files keep increasing I'm not sure if is bad practice.
Thanks in advance.
You can put it where ever you want on the server, the program will just need proper permissions to that location (I use the IO namespace). However you should put thought into how to organize the files and folders. Is each file to be tied to a specific ID or just all in 1 folder? Think of things you'll need to handle like invalid file names (special characters), duplicate file names etc. Is the location strictly 1 way (upload only)? Or are you enabling download functionality? If you have download functionality stress security, probably creating a download.aspx page specifically for handling download requests and authentication.
If I'm hosting a website, say at http://www.example.com, how can I find files that are in the same folder as index.html if I DON'T know the filenames?
So for example, if there are these files in there:
http://www.example.com/test.txt
http://www.example.com/test1.txt
Can anyone see this list of files? If so, how can I hide them, but make each one accessible to someone who knows the names? I don't want to use a password system, if possible.
If you put index.html in that directory, so no files will be listed. If you allow to upload to that directory, so i can upload some php script to list all files in directory. IF you don't know file name, you can try to guess it :)
You can use bruteforce tools such as dirbuster, or you can look at the "/robots.txt" file for some clues on what's on the website.
By the way, you should keep in mind that most of web servers nowadays have rights management implemented, so even if there is such file on the server it may not allow you access to it without authentication.
Some hosting providers provide an option to specify whether directory listings are allowed. If enabled, and a client requests a URL for a folder that does not contain a default HTML file (index.html, default.html, default.aspx, etc), then the web server will serve up an HTML file containing a listing of the files in that folder. It is rare that this option is ever enabled, though.
but you should be accurate while inserting names of files in URL or else you can use pen-test tool which will list out some of the names for free.for attempts ot full listing of files you'll need to be a paid member i guess
In my asp.net web application, I have a folder in which I have a few html and jpeg files. some of these files do not need a user to login while the others do. How do I exclude the files that are free for view to be displayed without logging in while still maintaining the user to login for viewing other files in the same folder using just the config file. I wasnt able to find something relevant in the config file or maybe I overlooked it. If anyone knows please reply.
Thanks.
I've tried to answer this as well as I can but the sentence:
How do I exclude the files that are free for view to be displayed without logging in while still maintaining the user to login for viewing other files in the same folder using just the config file.
..is a bit confusing!
The files that need to be authenticated are the ones that are handled by the asp.net handler such as .aspx files. jpegs and other static files bypass this so can be viewed without authentication. The handler aspnet_isapi only handles certain files but you can configure it to handle more file extensions (or all files) by configuring extension mappings in IIS.
Personally, I would put all files I wanted to be unprotected in a folder with permissions to allow anyone to view that folder, set the aspnet_isapi handler to handle all files and then protect your other folders according to your application's needs.
Depending on what you want to do (as your question isn't that clear), you may or may not be able to achieve what you want just from the config file but hopefully this answer will give you the information you need to make your own conclusions on that.
I have an application with 2 directories (books and export).
If we create a book or a page of a book in the application a directory is added with the id of the page (this is for uploading resources).
If we delete a page, the page (and it's directory) is removed from the database and the filesystem.
However this resulted in a session loss (even an application restart). I've looked up some thing on google and found the following link.
It seems to be a problem in ASP.NET 2.0 (and 3.5).
We are now thinking about writing a service that will clean up the directories at night.
But there has got to be another solution for this no?
Oh and putting the directory outside the virtual directory is not an option.
Try disabling the monitoring of File System. This will prevent your session alive.
This article may be usefull for you.
Oh and putting the directory outside
the virtual directory is not an
option.
Putting the directory outside the virtual directory is the only solution I found (so far). What you can do, is to create a link (junction) in the file system so that the directory appears to be inside the virtual directory, e.g:
Our web site (virtual directory) is located at C:\projectX\website
the data directory (where we create/delete files and folders) is located at C:\projectX\data
then we create a link which makes the data folder available as C:\projectX\website\data
The link is created using the program Linkd.exe (available in the windows resource kit), with the following command:
linkd c:\projectX\website\data c:\projectX\data
Now c:\projectX\website\data is a link/junction which points to the real data directory. You can work with the link as if it were a physical directory.
E.g. in your web site you can access it using this code:
Server.MapPath("~/data")
And you can also used the windows file explorer and browse to C:\projectX\website\data. It appears just like a real directory.
There seems to be a supported hotfix which achieves the same as the article Sachin mentioned (turn off the file change notifications in a web site).
Check this article in the microsoft KB for more information.
But since you mentioned in a comment, that you do not have access to the server, I guess this will also not help in your case.
For storing data files that are frequently updated, created and deleted you need to use App_Data folder in the root of the web site. MSDN for App_Data folder states:
Contains application data files
including MDF files, XML files, as
well as other data store files. The
App_Data folder is used by ASP.NET 2.0
to store an application's local
database, which can be used for
maintaining membership and role
information.
Also check Q&A section for App_Data folder usage: App_Data folder question
I had the same problem. The solution is to externalize the session handling by using the ASP.Net State service. The only draw back is that every object you place in the session needs to be serializable, as it is transferred to the state service and back.
I currently do not have the possibility to provide further links, but google will help you, now that you know what to search for.