Hackers trying to upload malicious files in EPiServer forms

Vote:
 

How can we make sure that someone could not upload malicious files via publically available EPiServer Forms?

/K

#205708
Jul 19, 2019 18:35
Vote:
 

Good question! I'd like to confirm your definition of a malicious file, you're talking about malware/viruses yes? 

You could do it by Media Type / File extension out of the box. But if you want to actually scan the file for a virus then I guess we can handle the Form Submit Event (maybe Custom Validation) and send the file to an API to check. Something like these https://developers.virustotal.com/reference or https://www.attachmentscanner.com/ (I have no idea if these are good services, I just did a quick google search)

#205712
Edited, Jul 19, 2019 23:59
Vote:
 

Usually, customers can submit their complaints or proofs via File Upload. Customer Service Team reviews those submissions. EPi saves uploaded file as a blob where Email to Customer center goes with a link pointing to that blob. We had a realtime case where this was attempted but not succeeded. Wondering what other organizations are doing to protect themselves. Or might be EPi have some built-In mechanism to prevent this.

/K

#205714
Jul 20, 2019 10:16
Vote:
 

I'd be interested to know if Episerver offer anything. If we are talking Azure and Azure Blob storage, I don't believe Azure offers anything natively, I think their storage is just storage. It's secure and encrypted, but not scanned for malware. 

I think the best options will be an API or VM / Container (like this C# solution, http://jasonhaley.com/post/Virus-Scan-File-Uploads-Using-Multi-Container-Web-App ).

We regularly build solutions that allow User Generated Content and Forms Submissions but we don't often consider this issue, we should. Interesting stuff mate, thanks for raising it. 

#205715
Edited, Jul 20, 2019 11:56
Vote:
 

I would recommend to pack it up as package and redistribute it to our fellow developers..

#205719
Jul 21, 2019 19:22
Vote:
 

I just came across this thread while investigating the same topic. Does Optimizely form have an inspection mechanism to detect malware; or we on our own and need to find 3rd party libraries to ensure attchments we receive via forms are safe? 

#300880
Apr 28, 2023 6:41
Vote:
 

Based on my know-how of forms, you will have to develop some of your own mechanisms.

#300884
Apr 28, 2023 8:52
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.