Community > Discussions

What will you discuss today?

New Discussion
Subscribe to this discussion
93 views
2 replies

Secure way to have file upload on form

I wanted to reach out to Mandeeps and the community to see how others are handling having a file upload on a form. As we have experienced some ransomeware attacks in the past that have targets some of our server environments and specific client websites, we have been working proactively to ensure we are doing everything we can on our end to protect the integrity of the websites and server environment. 

That being said we have a few clients that are wanting to have file upload fields to be used on their Live Form, and I have read many articles about simples files that can be uploaded that the file name or something can trigger a script to run on the server once uploaded, or that it could be infected but undetected until a certain action is taken. I have read other article that have proposed other solutions of separating the folder where the files will be stored with the web server to a separate location from the website (which I am not sure that Live Forms can accommodate this) with specific settings for this separate folder like disabling power-shell and other things so scripts could not run from anything in the folder, have a very in-depth article i read that explained some of this, if anyone is interested. 

I have also looked into a simple file upload function that we could possibly embed within the Live Form that would actually upload the file to box or something but not the web server. None of these seem like great solutions, and now I am considering for these few forms using something separate like jotform or similar stand along form builder that can be embedded in the site but would not upload the files to the website. This is not the direction I want to go, and will be added expense for my client at an ongoing basis, and we love Live Form and have built some awesome stuff on Live Form, so I wanted to see if this has been a concern of others, and what they have done or how they are handling this. This type of site security is beyond my expertise so looking to see if Mandeeps or others have recommendations or thoughts. 

Jerod Brown Jerod Brown
Published 04/22/2021 18:08
Add Comment
Mandeep Singh

Live Forms supports Folder Providers; so if security is a concern you could do one of the following:

  1. Configure Live Forms so all uploads are stored in the Secure Database rather than FileSystem
  2. You can also configure Live Forms to store all files on a Cloud Service such as Azure or Amazon S3.
Live Forms enforces DNN Allowed File extensions as well as its own set of allowed extensions. Depending on your use case, a combination of these options should be sufficient to secure your DNN Site from malicious file uploads. 
replied 04/25/2021 01:32
AB@Wildlife

Have there been any developments specific to this concern? We also have a number of Live Forms instances (v7.0.3) allowing anonymous submissions, including file uploads, but there are two specific vulnerabilities that are especially concerning:

  1. The file-upload field can be used independently of form submission to upload an unlimited number of files.
  2. The file extension can be changed to circumvent the allowable file type restriction.
We're looking into utilizing MS Azure to guard against #2, but #1 seems like a flaw that can only be addressed in the module. Or is there some configuration that can prevent this?
 
We also love and depend heavily on this very cool product!
replied 06/01/2023 23:46
Reply

Last Activity 06/12/2023 06:33