ASP File upload script security

[Kev]

I want to add a file upload script to my site, like gmail has where you can browse to a file and then upload it. Then this would be available to other visitors to the site. However, I'm concerned about security. But what would be the best method to make sure that no virus infected files get uploaded? The server has a virus scan on it, so I'm wondering if that will take care of it...

 

[Mark R]

A server virus scanner should offer some protection - however, if you're operating a publicly accessible file exchange server (which it sounds like you are) then you have to accept that this does pose a definite risk of allowing a virus or malicious software to spread.

I'm pretty sure that Mcafee enterprise will scan all files as they are written to HD, and then loaded of HD - regardless of whether they are executed, or just served up. So this should be able to stop such infections, but I don't know how to get it to interact nicely with ASP (i.e. give the user a warning that their file was infected).

Don't forget that seemingly innocent files like HTML files can also contain security exploits that may not be detectable server side (e.g. cross site scripting exploits, that may use your site as an intermediary in an attack on another site). When I implemented a content management system that allowed upload of HTML, I had a filter which would strip out all scripts and behaviour attributes from the HTML/CSS.