Hackers trying to upload malicious files in EPiServer forms

Vote:
 

How can we make sure that someone could not upload malicious files via publically available EPiServer Forms?

/K

#205708
Jul 19, 2019 18:35
Vote:
 

Good question! I'd like to confirm your definition of a malicious file, you're talking about malware/viruses yes? 

You could do it by Media Type / File extension out of the box. But if you want to actually scan the file for a virus then I guess we can handle the Form Submit Event (maybe Custom Validation) and send the file to an API to check. Something like these https://developers.virustotal.com/reference or https://www.attachmentscanner.com/ (I have no idea if these are good services, I just did a quick google search)

#205712
Edited, Jul 20, 2019 0:27
Vote:
 

Usually, customers can submit their complaints or proofs via File Upload. Customer Service Team reviews those submissions. EPi saves uploaded file as a blob where Email to Customer center goes with a link pointing to that blob. We had a realtime case where this was attempted but not succeeded. Wondering what other organizations are doing to protect themselves. Or might be EPi have some built-In mechanism to prevent this.

/K

#205714
Jul 20, 2019 10:16
Vote:
 

I'd be interested to know if Episerver offer anything. If we are talking Azure and Azure Blob storage, I don't believe Azure offers anything natively, I think their storage is just storage. It's secure and encrypted, but not scanned for malware. 

I think the best options will be an API or VM / Container (like this C# solution, http://jasonhaley.com/post/Virus-Scan-File-Uploads-Using-Multi-Container-Web-App ).

We regularly build solutions that allow User Generated Content and Forms Submissions but we don't often consider this issue, we should. Interesting stuff mate, thanks for raising it. 

#205715
Edited, Jul 20, 2019 11:58
Vote:
 

I would recommend to pack it up as package and redistribute it to our fellow developers..

#205719
Jul 21, 2019 19:22