Chapter 10: Using AspUpload in a Shared Environment

Contents

10.1 Disabling Potentially Dangerous Features

When AspUpload is used in a Web hosting environment, the system administrator may choose to disable certain features of the component that he/she deems potentially dangerous, such as saving files in an arbitrary directory, manipulating ACLs, directory listing, file downloading, etc.

The features are disabled by changing the corresponding values in the system registry. To run Registry Editor, type regedit at the Start/Run prompt.

The registry values used to disable the "dangerous" features are located under the key

HKEY_LOCAL_MACHINE\SOFTWARE\Persits Software\AspUpload3

By default, all the registry values under this key are set to 0 (enabled). Setting them to 1 (or any non-zero value) would disable the corresponding feature.

The following table lists all AspUpload methods that can be disabled via registry settings, and corresponding registry values that disable them:

Method
Registry Value
Comments
UploadManager.Save
DisableSave
When this main method is disabled, users will be forced to use the SaveVirtual method which accepts a virtual, rather than physical, directory as an argument. This way users will be confined to their own virtual directory and subdirectories.
UploadedFile.SaveAs
DisableFileSaveAs
When this method is disabled, users will be forced to use the File.SaveAsVirtual method which accepts a virtual, rather than physical, directory as an argument. This way users will be confined to their own virtual directory and subdirectories.
UploadManager.LogonUser
UploadManager.RevertToSelf
DisableLogonUser
Disables user impersonation functionality.
UploadedFile.AllowAccess
UploadedFile.DenyAccess
UploadedFile.RevokeDenial
UploadedFile.RevokeAllowance
UploadedFile.SetOwner
DisableACL
Disables permission manipulation functionality.
UploadManager.CopyFile
UploadedFile.Copy
DisableFileCopy
When these methods are disabled, the users will be forced to use UploadedFile.CopyVirtual.
UploadManager.RegisterServer
DisableRegisterServer
Disables ActiveX registration functionality.
UploadManager.RemoveDirectory
DisableRemoveDirectory
Disables directory removal functionality.
UploadManager.DeleteFile
DisableFileDelete
Disables file deletion functionality. UploadedFile.Delete is not affected by this setting, however. If Upload.OpenFile is also disabled, a user will only be able to delete newly uploaded files.
UploadManager.SendBinary
DisableSendBinary
Disables file download functionality.
UploadManager.Directory
DisableDirectoryListing
Disables directory listing functionality.
UploadManager.OpenFile
DisableOpenFile
With OpenFile, an UploadedFile object can be created from an arbitrary file on the hard drive, and methods such as File.Delete can be called. Disabling this method limits a user to newly uploaded files only.

10.2 Review of Most Risky Features

Some of AspUpload's "risky" features are more dangerous than others. Among the most dangerous are:

  • ActiveX registration. Using this feature, a malicious user can place a trojan-horse ActiveX DLL on the server, register and invoke it with simple ASP script.
  • Directory Listing. This feature allows users to browser around the entire web server's hard drive and download any files.
  • Account impersonation.
  • File deletion and directory removal.

After installing AspUpload on a shared Web server, it is recommended that most or all of the potentially dangerous features be disabled, or at least some of the code samples be deleted from the installation directory. This includes:

\Samples\09_misc\DirectoryListing.asp
\Samples\09_misc\Download.asp
\Samples\09_misc\DeleteFiles.asp

Other Products
AspEmail
AspEmail.NET
AspJpeg
AspJpeg.NET
AspHEIF
AspPDF
AspPDF.NET
AspEncrypt
AspGrid
AspUser