Try our conversational search powered by Generative AI!

Hackers trying to upload malicious files in EPiServer forms


How can we make sure that someone could not upload malicious files via publically available EPiServer Forms?


Jul 19, 2019 18:35

Good question! I'd like to confirm your definition of a malicious file, you're talking about malware/viruses yes? 

You could do it by Media Type / File extension out of the box. But if you want to actually scan the file for a virus then I guess we can handle the Form Submit Event (maybe Custom Validation) and send the file to an API to check. Something like these or (I have no idea if these are good services, I just did a quick google search)

Edited, Jul 19, 2019 23:59

Usually, customers can submit their complaints or proofs via File Upload. Customer Service Team reviews those submissions. EPi saves uploaded file as a blob where Email to Customer center goes with a link pointing to that blob. We had a realtime case where this was attempted but not succeeded. Wondering what other organizations are doing to protect themselves. Or might be EPi have some built-In mechanism to prevent this.


Jul 20, 2019 10:16

I'd be interested to know if Episerver offer anything. If we are talking Azure and Azure Blob storage, I don't believe Azure offers anything natively, I think their storage is just storage. It's secure and encrypted, but not scanned for malware. 

I think the best options will be an API or VM / Container (like this C# solution, ).

We regularly build solutions that allow User Generated Content and Forms Submissions but we don't often consider this issue, we should. Interesting stuff mate, thanks for raising it. 

Edited, Jul 20, 2019 11:56

I would recommend to pack it up as package and redistribute it to our fellow developers..

Jul 21, 2019 19:22

I just came across this thread while investigating the same topic. Does Optimizely form have an inspection mechanism to detect malware; or we on our own and need to find 3rd party libraries to ensure attchments we receive via forms are safe? 

Apr 28, 2023 6:41

Based on my know-how of forms, you will have to develop some of your own mechanisms.

Apr 28, 2023 8:52
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.