Re: .exe uplpoads

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 05/22/04 

Date: Sat, 22 May 2004 04:55:21 -0700

That is impossible to do in a correct fashion. Given an arbitrary
URL/Request, it is impossible for anything on the Web Server to determine
whether it is an upload or not, thus it is not possible to stop web editors
from placing whatever files they want, once they have write permissions. If
fact, someone can simply upload a .htm and rename it to .exe -- so what you
are doing is not useful.

Honestly, allowing upload of .EXE is no biggie. All you need to make sure
is that same directory does not end up with "Scripts and Executables"
execution permission -- without this setting, a .EXE is treated no different
than a .HTM by IIS. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"anonymous" <anonymous@discussions.microsoft.com> wrote in message
news:fe5901c43eb3$53a7a3e0$a301280a@phx.gbl...
Thanks.  I already use the URLScan utility (which is
working fine)...was actually looking for a way to stop web
editors from placing .exe files within their subwebs all
together.
>-----Original Message-----
>You can use URLScan to disallow .EXE from being accepted
by the server on
>the URL (which disallows both requesting EXEs as well as
uploading EXEs).
>Otherwise, there is no generic feature for any web server
to disallow the
>upload of one file extension but not another.  HTTP does
not define an
>"upload", and custom web server extension can
implement "upload" in
>arbitrary manners.
>
>-- 
>//David
>IIS
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>//
>"anonymous" <anonymous@discussions.microsoft.com> wrote
in message
>news:f3e801c43db9$09a244d0$a301280a@phx.gbl...
>Thanks in advance for any usefull replies.
>
>Environment:
>Win2k, 2000 FPSE, Intranet
>
>Question:
>
>Is it possible to disallow web editors from uploading .exe
>files to the content directories, and still allow them to
>go about daily content (.asp/.html) updating.
>
>Editors use Frontpage 2000 or 2002.
>
>
>.
>

Relevant Pages

  • Re: .exe uplpoads
    ... You can use URLScan to disallow .EXE from being accepted by the server on ... upload of one file extension but not another. ...
    (microsoft.public.inetserver.iis)
  • Re: Virus on Web Server
    ... Not unless something on your server renames it back to .exe and then ... > If I allow the user to upload a file of extension .gif to the web server ... will the user be able to upload a virus to the ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: HttpWebRequest file upload problem
    ... Here is the first on a remote web server. ... Here is the second connection which is just to another folder on my ... File upload failed: System.UnauthorizedAccessException: Access to the path ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Uploading Large File to SQL
    ... However now when I'm upload a 500+mb file I run out of memory on the web server. ... private string SaveFileToSQL ... SqlDataAdapter myDataAdapter = new SqlDataAdapter ...
    (microsoft.public.sqlserver.programming)
  • Re: Uploading Large File to SQL
    ... However now when I'm upload a 500+mb file I run out of memory on the web server. ... private string SaveFileToSQL ... SqlDataAdapter myDataAdapter = new SqlDataAdapter ...
    (microsoft.public.dotnet.framework.aspnet)