I upload a .csv file to server using ASP.NET FileUpload control and a button. How can I be sure if it is valid .csv file or not ? I mean hackers can write some scripts inside file or they can convert abc.exe to abc.csv and upload server. In second case, is there any way to execute abc.csv file and if it is, is there any solution to avoid from it?
I will read file and if it is in correct format, such as (name,age,birthplace), I will insert them to database. But hacker can write script like ('get all info','from','database').
I am using SQL Server and C#.
I had lots of research in internet but lots of posts are about images, not csv.
What are the risks of csv file while loading to server? How can I check if file has macro virus or something like that?
I hope I could explain my problem.
Please let me know your opinions.
private void ReadCSVFile(string filepath)
{
receiverList = new List<ReceiverUser>();
try
{
if (filepath == string.Empty)
return;
using (StreamReader sr = new StreamReader(filepath))
{
string line;
while ((line = sr.ReadLine()) != null)
{
SplitLine(line);
}
}
#region row add test
DataTable dt = new DataTable();
if (dt.Columns.Count == 0)
{
dt.Columns.Add("Name", typeof(string));
dt.Columns.Add("Mail", typeof(string));
dt.Columns.Add("Amount", typeof(double));
}
DataRow NewRow;
foreach (var item in receiverList)
{
NewRow = dt.NewRow();
NewRow[0] = item.Name + " " + item.Surname;
NewRow[1] = item.Mail;
NewRow[2] = item.Amount;
dt.Rows.Add(NewRow);
}
grdRec.DataSource = dt;
grdRec.DataBind();
#endregion
}
catch (Exception)
{
}
}
I read file using StreamReader. So if one of parameter of csv file includes a macro code, will it be executed directly? All I want is to know it actually.
Every potential vulnerability you expose yourself to when dealing with uploaded files is determined by what you do with the file.
If you can let users upload files, which you store as-is for other users to download, then one user can upload a virus-infected executable that will ruin another user's system.
If you let users upload files to any hosted directory because they can provide a target filename and/or directory, they can upload a file that gets interpreted and/or executed by the web server by issuing a request to the file (.php, .aspx, ...). This way a malicious user can execute their code on your server, doing whatever their evil heart desires.
If you let users upload an image and then resize it through some library, then your server is vulnerable to the exploits that exist in that version of that library. A malicious user can then for example inject executable code in an EXIF tag if some image processor library is known to be vulnerable to that.
If you read a CSV file and want to insert its data into a database, then if you simply concatenate an SQL string using this user input, you're going to have yourself a Bobby Tables.
If you run an uploaded Word file through the Word application itself (with all security turned off), then Word Macros will be executed on your server. You also don't want that.
So it all comes down to user input sanitization.
Now for your actual question: you're reading user input into a DataTable, in order to later insert that into an SQL database. This is just fine, because a DataTable will do the proper sanitization before crafting the SQL. But don't take my word for it: for all we know, the DataTable has an exploit as well.
You can follow the directions in the OWASP security topic about "Unrestricted file uploads" at https://www.owasp.org/index.php/Unrestricted_File_Upload.
In general, the best practice is to store the files with a internal and secure file name and store the real name in a database or another data source, associated to that file (also, it helps when the file name contains characters that are incompatible with the target filesystem).
If you don't need to track the file name of the uploaded file, then you can rename the file after uploading using another secure name.
Some Examples of distinct problems associated with file uploads are
Attacks on application platform
Upload .gif file to be resized - image library flaw exploited
Upload huge files - file space denial of service
Upload file using malicious path or name - overwrite a critical file
Upload file containing personal data - other users access it
Upload file containing "tags" - tags get executed as part of being
"included" in a web page
Upload .rar file to be scanned by antivirus - command executed on a
server running the vulnerable antivirus software
Attacks on other systems
Upload .exe file into web tree - victims download trojaned executable
Upload virus infected file - victims' machines infected
Upload .html file containing script - victim experiences Cross-site
Scripting XSS)
Upload .jpg file containing a Flash object - victim experiences
Cross-site Content Hijacking.
Upload .rar file to be scanned by antivirus - command executed on a
client running the vulnerable antivirus software
Related
i have a question, I have this code
foreach (string line in File.ReadLines(**#"C:\fis32v6\fis32.ini"**))
{
if (line.Contains("TEST1"))
{
Label1.Text="TEST1";
PdLine = "1";
}
}
DataSet ds;
ds = GetData(PdLine.ToString());
I want to read from txt file on client specific line with condition. When developing this and building the code it works, what ever i change in txt file can be read from my PC. But when I run the website on server it reads the txt file on that server instead of client I opened the website.
Is there any possibility to make the path relative?
As John mentioned that would be a huge security issue, mostly to make sure the website doesn't dig around in your system.
However it can be instigated from client side.
Just have search here on SO for 'upload file using asp.net' there are loads of hits with answers listed.
You didn't mention specific versions you use (MVC?, asp.net? / core?), and no context as to what workflow your code is running in (is it run on connection or during a specific process), is it configuration settings used for the web session itself? but it is possible to upload.
Should you require the file during startup that might be a bit trickier as you'd have to upload it somehow.
If however it is settings for the web session, why not save it in a cookie?
I use open XML to export excel file. SpreadsheetDocument.Create requires a file destination.
I want to get this file destination from user similar to a SaveFileDialog in Winforms.
How I get file destination from user? I use Asp.Net 4.0 and OpenXML SDK 2.5 .
SpreadsheetDocument spreadsheetDocument = SpreadsheetDocument.Create(destination, SpreadsheetDocumentType.Workbook);
For this functionality even if you use open/save dialog, it would show the client locations not the server locations. So here question is, do you want to save that file to the client machine or at the server machine?
If you want to save it to client machine then first save it on the server by any name and location you want and then initiate a download after that. It will automatically prompt download dialog in the client browser and there user would be able to select the location and filename (depending on the client browser settings).
If you want to save it only on server then just before generating the spreadsheet, prompt user for entering the filename (on the page from where the request is generated). If some of your folders are accessible to user then you can also prompt user to select one of the folders, otherwise choose one as per your choice/requirement. Use the filename and the location to generate the spreadsheet.
when a webserver is streaming a file down to the client, you don't have control of the destination folder. All you can do is:
specify the contents type (to aid client in determining how to handle)
specify filename
(I think) tell the client browser to save the file vs. displaying it automatically in the registered application (for example, PDFs usually display in the browser, but setting up the streaming correctly could force Save File dialog instead)
If you need to "cache" the file ion the web server, you export to a server folder that your server process has write permissions to. Then you stream to the client - the client will get the prompt from their browser and save where they want.
Look at Server.MapPath for example - it'll map virtual path to physical on your server. the question of permissions remains.
Depending on your particular case, you may be able to avoid saving to the server, if the export library has a way of returning a byte array or a stream, instead of saving to a file. In that case you just stream the return result to requester.
I am not familiar with the SDK you're using, but quick googling reveals this method of returning the document in a stream:
using (MemoryStream stream = new MemoryStream())
{
using (SpreadsheetDocument spreadsheetDocument = SpreadsheetDocument.Create(stream, SpreadsheetDocumentType.Workbook, true))
{
... work with the spreadsheetDocument, if needed
... prepare and stream to browser
}
}
Here's one of the references to your SDK I found
Use Environment.SpecialFolder enumerations. If you are looking for my documents then:
var destination = Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments)
SpreadsheetDocument spreadsheetDocument = SpreadsheetDocument.Create(destination, SpreadsheetDocumentType.Workbook);
Using the .NET assembly of WinSCP to upload a file. OperationResultBase.Check() is throwing the following error:
WinSCP.SessionRemoteException: Transfer was successfully finished, but temporary transfer file 'testfile.zip.filepart' could not be renamed to target file name 'testfile.zip'. If the problem persists, you may want to turn off transfer resume support.
It seems that this happens with any zip file that I try to send. If it makes a difference, these are zip files that were created using the DotNetZip library.
Code that I'm using, taken pretty much directly from the example in the WinSCP documentation:
public void uploadFile(string filePath, string remotePath)
{
TransferOptions transferOptions = new TransferOptions();
transferOptions.TransferMode = TransferMode.Binary;
TransferOperationResult transferResult;
transferResult = currentSession.PutFiles(filePath, remotePath, false, transferOptions);
transferResult.Check();
foreach (TransferEventArgs transfer in transferResult.Transfers)
{
Console.WriteLine("Upload of {0} succeeded", transfer.FileName);
}
}
Discussion over at the WinSCP forum indicates that the assembly doesn't yet allow programmatic control of transfer resume support. Is there a workaround for this?
It sounds as if the filesystem on the destination server where the file is getting uploaded to does not allow file change permissions. This could be causing the renaming of the file at the finish of the upload to fail despite the fact that the complete file was uploaded and written to the filesystem with the temporary file name used while the transfer was in progress. If you don't have administrative access to the destination server, you can test that by trying to rename a file that is already on the destination server. If that fails also, then you will either need to have the proper permissions on the destination server changed in order for that to work. Otherwise you might have to use the advice provided in your error message to turn off the resume support so it is initially opened for writing with the desired filename instead of the temporary filename (with the .filepart extension).
Turn off the resumesupport:
put *.txt -nopreservetime -nopermissions -resumesupport=off
It would help, if you included full error message, including root cause as returned by the server.
My guess is that there's an antivirus application (or similar) running on the server-side. The antivirus application checks any file once upload finishes. That conflicts with WinSCP attempt to rename the file once the upload is finished. The problem may tend to occur more frequently for .ZIP archives, either because they tend to be larger or simply because they need to get extracted before the check (what takes time).
Anyway, you can disable the transfer to temporary file name using the TransferOptions.ResumeSupport.
See also the documentation for the error message "Transfer was successfully finished, but temporary transfer file ... could not be renamed to target file name ..."
All you have to do is to disable TransferResumeSupport using the below code.
transferOptions.ResumeSupport = new TransferResumeSuppor {State = TransferResumeSupportState.Off };
We are creating CMS, in which we want to have the option to upload multiple files to FTP server. The steps are
Open FTP connection
Click browse - Select multiple files - Click upload to FTP
Create a folder on the FTP server
Rename the selected files and upload them to the folder
Close the connection
It will be good if it shows the status of the upload.
We are using asp.net with C#. Any sample code will help. Is there any good components available. I can spend max of $150 to buy a component.
Please help. Thanks in advance.
First of all, you should use an open source CMS and improve the code to your needs, don't try to reinvent the wheel!
Second, there is no need to spend money, plenty of solutions out there ...
you can use, for example Uploadify to pass user files to your server, then using any FTP Example upload the files to the FTP and delete them from the server upon success.
if you don't want to have the "middle men", just upload directly to the FTP
string name = Path.GetFileName(UploadControl.FileName);
byte[] data = UploadControl.FileBytes;
using (WebClient client = new WebClient()) {
client.UploadData("ftp://my.ftp.server.com/myfolder/" + name, data);
}
I have a problem with my code. My code is using the fileupload control to browse for a filename when you add a filename it processes it and the code runs fine on when it lives on local host, but when I put the code on our prodution server it cannot find the filenames listed by user.
For example if I use the upload control to browse to
B:\MIS\CH Intive\RPTTOFL_3.csv and the code lives on my localhost which know what that file path means it works, but if the code is moved to a production server it may or maynot know what B:/ is or B:/ maybe mapped to something else.
Even if I am browsing to a file on my C drive it will work on if the code is on the machine that the C drive is on, but it will not work if the code is on another machine because obviously that file wouldnt be on that C drive.
Private Function CSV2DataTable(ByVal filename As String) As DataTable
Using MyReader As New _
Microsoft.VisualBasic.FileIO.TextFieldParser(filename)
MyReader.TextFieldType = FileIO.FieldType.Delimited
.
.
.
What can I do in asp.net to make the filename work correctly?
Ok lets say I get the filename and save it as so
FileUploadControl.SaveAs(Server.MapPath("~/") + filename);
now I want to pass the filename to the function above for processing. Do I pass Server.MapPath("~/") + filename as the filename? Also when I am done what do I do to delete the file from the server?
It seems that you are mixing the client and server locations of the file. Before reading the uploaded file, the server-side code must save it on the server (client-side file location is mostly irrelevant at this point). From VS help on FileUpload class: "The code that you write to save the specified file should call the SaveAs method, which saves the contents of a file to a specified path on the server." The online help topic on FileUpload control has enough information (with examples) to achieve what you need.