I have a folder in my web server used for the users to upload photos using an ASP page.

Is it safe enough to give IUSR write permissions to the folder? Must I secure something else? I am afraid of hackers bypassing the ASP page and uploading content directly to the folder.

I'm using ASP classic and IIS6 on Windows 2003 Server. The upload is through HTTP, not FTP.

Edit: Changing the question for clarity and changing my answers as comments.

Question author Eduardo-molteni | Source



also, I would recommend not to let the users upload into a folder that's accessible from the web. Even the best MIME type detection may fail and you absolutely don't want users to upload, say, an executable disguised as a jpeg in a case where your MIME sniffing fails, but the one in IIS works correctly.

In the PHP world it's even worse, because an attacker could upload a malicious PHP script and later access it via the webserver.

Always, always store the uploaded files in a directory somewhere outside the document root and access them via some accessing-script which does additional sanitizing (and at least explicitly sets a image/whatever MIME type.

Answer author Pilif

Ask about this question here!