asp upload

May 8, 2008 at 12:51 AM
I inherited an asp site that was done several years back. no coding was placed on sql calls for injection so your filter seems to be a great option vs. fixing existing code. it works great, however it breaks some pages that use the aspupload component for file upload. the upload starts but then eventually fails with an error...

Server Error
The server was unable to process your request.

any insight into how to get aspupload and the filter to work in harmony is most appreciated. i turned off the filtering and the site was hit with injection yesterday and it's a PIA to restore the db...
Coordinator
May 8, 2008 at 4:21 AM
andyknas,

if you can compile the code, just abort the operation if the verb is not either "GET" or "POST" (I believe file upload uses "PUT" instead).

Conversely, you can put all upload code in another web application and use the ISAPI only for the normal application. It would not be a huge code change as compared to fix your asp application to avoid SQL Injection.

Please let me know if I answered your question. Please fell free to post another question if I did not solve your problem.

Thanks,

Rodney
May 14, 2008 at 4:54 PM
Rodney,

Your product is great however I have ran into the same issue as andyknas.  I attempted to implement your suggestion but am having difficulty building with the boost libraries.  Would it be possible to add that condition and post a new executable?  I am currently using the first build without the Viewstate correction.  That one seems to hang my server. 

Regards,
Chris
Coordinator
May 14, 2008 at 7:43 PM

Hi Chris,

I am working in a new version which will offer more flexibility, however I don't know when I will be able to finish it. Most of the things which are now hard-coded will be treated as configurable.


cheetah17 wrote:
Rodney,

Your product is great however I have ran into the same issue as andyknas.  I attempted to implement your suggestion but am having difficulty building with the boost libraries.  Would it be possible to add that condition and post a new executable?  I am currently using the first build without the Viewstate correction.  That one seems to hang my server. 

Regards,
Chris


Jun 25, 2008 at 8:25 PM
Edited Jun 25, 2008 at 8:25 PM
Hi Rodney,

Thank you for your great solution. I am also using ASPUpload on an old ASP / VBScript project and would like to see support added. Will be watching this topic....

Regards,
Storm