AspUpload.com - User Manual. Chapter 10

Home
What's New
User Manual
1. Introduction
2. Simple Uploads
3. Memory Uploads
4. Database
5. Progress Bar
6. Security
7. Images
8. Unicode
9. Miscellaneous
10. Hosting Issues

Object Reference
Live Demos
Support
XUpload
JUpload
AspJpeg

Download
Purchase
Clients
Other Products
Contact Us
Newsletter Signup

Chapter 10. Using AspUpload in a Shared Environment

Disabling Potentially Dangerous Features

When AspUpload is used in a Web hosting environment, the system administrator may choose to disable certain features of the component that he/she deems potentially dangerous, such as saving files in an arbitrary directory, manipulating ACLs, directory listing, file downloading, etc.
The features are disabled by changing the corresponding values in the system registry. To run Registry Editor, type regedit at the Start/Run prompt.
The registry values used to disable the "dangerous" features are located under the key
HKEY_LOCAL_MACHINE\SOFTWARE\Persits Software\AspUpload3

By default, all the registry values under this key are set to 0 (enabled). Setting them to 1 (or any non-zero value) would disable the corresponding feature.
The following table lists all AspUpload methods that can be disabled via registry settings, and corresponding registry values that disable them:

Method(s) Registry Value Comments

UploadManager.Save DisableSave When this main method is disabled, users will be forced to use the SaveVirtual method which accepts a virtual, rather than physical, directory as an argument. This way users will be confined to their own virtual directory and subdirectories.

UploadedFile.SaveAs DisableFileSaveAs When this method is disabled, users will be forced to use the File.SaveAsVirtual method which accepts a virtual, rather than physical, directory as an argument. This way users will be confined to their own virtual directory and subdirectories.

UploadManager.LogonUser
UploadManager.RevertToSelf DisableLogonUser Disables user impersonation functionality.

UploadedFile.AllowAccess
UploadedFile.DenyAccess
UploadedFile.RevokeDenial
UploadedFile.RevokeAllowance
UploadedFile.SetOwner DisableACL Disables permission manipulation functionality.

UploadManager.CopyFile
UploadedFile.Copy DisableFileCopy When these methods are disabled, the users will be forced to use UploadedFile.CopyVirtual.

UploadManager.RegisterServer DisableRegisterServer Disables ActiveX registration functionality.

UploadManager.RemoveDirectory DisableRemoveDirectory Disables directory removal functionality.

UploadManager.DeleteFile DisableFileDelete Disables file deletion functionality. UploadedFile.Delete is not affected by this setting, however. If Upload.OpenFile is also disabled, a user will only be able to delete newly uploaded files.

UploadManager.SendBinary DisableSendBinary Disables file download functionality.

UploadManager.Directory DisableDirectoryListing Disables directory listing functionality.

UploadManager.OpenFile DisableOpenFile With OpenFile, an UploadedFile object can be created from an arbitrary file on the hard drive, and methods such as File.Delete can be called. Disabling this method limits a user to newly uploaded files only.

Review of Most Risky Features

Some of AspUpload's "risky" features are more dangerous than others. Among the most dangerous are:

ActiveX registration. Using this feature, a malicious user can place a trojan-horse ActiveX DLL on the server, register and invoke it with simple ASP script.
Directory Listing. This feature allows users to browser around the entire web server's hard drive and download any files.
Account impersonation.
File deletion and directory removal.

After installing AspUpload on a shared Web server, it is recommended that most or all of the potentially dangerous features be disabled, or at least some of the code samples be deleted from the installation directory. This includes:
\Samples\09_misc\DirectoryListing.asp
\Samples\09_misc\Download.asp
\Samples\09_misc\DeleteFiles.asp