I've been Googling all afternoon with no luck, so I've come to you for help!
I have an embedded system that is hosting the simplest of web pages:
<html>
<head></head>
<body>
<input type="button" value="Run" action="">
</body>
</html>
There is a little more to the page (just some system variables on display), but this is basically all it is. I generate this page from a simple C application that simply creates and updates a small run.html file in the web directory of my embedded system.
What I am TRYING to do, is when a user browses to the page and presses the button, a simple shell script or c app will create a tiny go.txt file with perhaps two characters 'GO' in the file. Just some kind of file to allow another application to eventually know that the button has been pressed.
I theorize that there is some syntax like action="/root/fs/go.sh" that might allow me this kind of access, but my experimentation has yielded no success. I should note that PHP is not enabled on the machine we are using.
My question for the group: is it this simple? Or am I missing some obvious web technology issue and going down a completely wrong path? Any feedback will be greatly appreciated.
Thanks,
To get the desired behaviour, you will have to do some works on the Web server. You will need to have some code on the server that will run the script you want upon receiving the form. The code on the server could be pretty much anything: a PHP script, a CGI application you coded in C, a custom Apache module, etc.
The bottom of this is, you will have to code something on the server side to do support that behavior. There is nothing in the HTML standard that let client request any script to be run on the server.
Related
I am writing an ASP.NET intranet application.
The server it will be deployed on has all the printers I need added to it.
I want to be able to access the printer using the code behind and print the contents of a web page I have set up for printing.
I do not want the java script solution, we are using that now, and we cannot allow users to see a print dialog. There are other security issues we have with this because we are trying to print checks. Also would like access and control over the print trays if possible.
I am looking for something along the lines of this:
http://forums.asp.net/t/587341.aspx?Access+Your+Network+Printer
Any help or references appreciated, been searching for 2 days haven't found much.
I have a hyperlink to an executable like so: Run Now
I'm trying to make the download dialog box appear without the save function as it is to only run only on the user's computer.
Is there any way to manipulate the file download dialog box?
FYI: Running on Windows Server '03' - IIS.
Please no suggestions for a WCF program.
Okay I found it for anyone stumbling upon this conundrum in the future.
Add the following tag to your head section: <meta name="DownloadOptions" content="nosave" /> and the file download dialog box will not display the "save" option.
For the user to not open/run but save replace "nosave" with "noopen"
Not unless you have some control over a user's machine. If your application can run on limited resources, you might want to consider doing it in Silverlight.
IMO, having a website launching an executable is a pretty bad idea.... even worst if that website is open to the general public (not on intranet). I don't know what that app is doing but it sure is NOT, 1) cross browser, 2) cross platform, and 3) safe for your users.
If you are on intranet, you might get away with giving the full server path (on a shared drive) to the executable and change security settings on your in-house machines.
Other than that, you won't succeed in a open environment such as the Internet.
From your comments, if the user downloading the file is the issue, then there's no way to get around it, as they have to download the file in order to be able to run it.
There's any number of ways to get around whatever you could manage in browser, from proxies like Fiddler intercepting the data, or lower level things like packet sniffing. Or even simply going into the browser's temp/cache folder and copying the file out once it's running.
You could probably get around most laymen by having a program that they can download that registers a file extension with Windows. Then the file downloaded from this site would have the URL of the actual data obfuscated somehow (crypto/encoding/ROT-13/etc). The app would then go and grab the file. The initial program could even have whatever functionality provided by what you want to download, but it needs the downloaded key.
But this is moving into the area of DRM and security by obscurity. If an attacker wants your file, and it's on the Internet, they will get the file.
I have a security problem in my website. A script code was added into my all pages like "<script src="Ip address/viewpic.asp"></script>" . It is between </head> and <body> tag. Now Google says "this site may be hartful for your pc!" about my site. How can i secure my website? I use C# and Visual Studio 2008.
You have been hacked. This code that has been added to your site is trying to hack web browsers that visit your site.
This could have happened a number of ways. The easist thing for you to do is to download an anti-virus like AVG and scan any machines with access to the site. There is malware that looks for FTP connections, it grabs the username/password then logs in and modifies files it finds. You should be using SFTP which can be installed under windows, FTP is only used by people who don't know any better or love to get hacked, or both.
The more complex possibility is that there is a vulnerability in your site. This requires a professional (Like me) to track down and fix. Acunetix can help find flaws in your site, but this might not find the vulnerability that was used to break in.
Edit: Assuming that the script is your own and not malicious:
You should not have any code between </head> and <body> - Otherwise you have got a <script> tag as a direct child of <html> which is not allowed.
Put the <script> tag inside <body> at the correct place where you want the script to execute, to correct the structural issue but you need to provide some more information about the exact error messages you are seeing about security as I'm not aware that Google shows error messages within its search listings and I dont have Google Toolbar installed to know what that does; but I don't believe it has typos in it ;)
So please provide more information about the exact security warnings once you've fixed - and validated (with the W3C Validator) - the structure of your HTML.
Edit: If the script is not intended to be there and has appeared outside of your desire:
Have a look in the HTML source where the script is present; and compare to your own ASPX pages to find out where the script is appearing. If it is being rendered by one of your controls you need to examine where the value is coming from. If it is a database, you need to focus your attention on what gets the information into the DB in the first place. If the script is injected and not into one of your controls then you should talk to your ISP I would think.
I'm creating an ASP.NET web application to schedule tasks on our server from a remote location using a .NET Wrapper for Scheduled Tasks. However, I'm stuck.
The user needs to be able to browse the file system on the server to retrieve a "file to run" for the new task that the user's creating in this application. I need to get the filepath/filename and pass it into the .NET wrapper.
I've tried using HTMLInputFile, but I haven't found a way to make that work for me.
Any help is appreciated.
Thanks
Update:
For this project, we've decided to simply list the executables in a dropdown box that would be available to users since they don't really need total access to the file system, just for security's sake.
HTMLInputFile is used to browse the client's file system and upload a file to the server. It isn't used to browse the server's file system.
You will need something quite different. You will need some server side code to display the server side folder structure to the user via the browser.
There is an example of a basic implementation of this here.
Update:
With that sample, the path that you replace "yourfolderHere" with needs to be a virtual path, rather than an absolute path. So for example "C:\Inetpub\wwwroot\uploads" won't work, but "uploads" will work.
I hope it goes without saying that there are serious security issues to think about when implementing something like this.
The HTMLInputFile will only work on the client-side machine.
You need to write a filesystem browser in ASPX/HTML that browses on the server-side.
Shouldn't be that hard to do.
You can't use the <input type="file" tag
This brings up a client-side dialog that browses the client machine.
As far as I am aware you need to create your own 'browser'.
eg You could use the My.Computer.Filesystem classes to retrieve a list of files in a folder and show those on the webpage. The user then selects the relevant file and posts a response back to the server.
You can use System.IO.Directory to get directories and files. These can be displayed in a number of ways. A simple browser / file selection should be possible in less than 50 lines of code.
Also be aware that you may need to grant extra permissions to the user that your web app runs as so the file system is accessible.
There are also various security implications around this, so don't grant access to everything unless you really need this.
I am trying to find out how to upload a file from a web user to a server using an ASP page. The displayed page has an Input tag of type "File" like this:
<input type="file" name="uploadfile">
And a submit button that passes the Form info to another .ASP page. This page must take the path it gets from the Input control and use it to somehow save the file to the server.
I keep thinking there must be a common way to do this, since I see this kind of thing on a number of websites, but how is it done? Is there some sort of server object that can be called for it?
This script will help you.
Also, you may google for "asp upload file" - there are tons of results.
If you are doing any serious uploading or have a commercial product you really need to use a COM component in classic asp. Check out SA-FileUp. It has been the defacto standard for this since like forever.
If your hosting service doesn't allow you to install components, you may also want to look at this script:
http://chris.brimson-read.com.au/index.php?option=com_content&view=article&id=6&Itemid=7
I've seen a wide variety of upload scripts floating around, and they ... vary ... in quality. I've not used the script in the selected answer, but its worth trying a few different options.
I can recommend SA-FileUp and Dundas Upload. They both are easy to install and have good tutorials on how to implement.