This archived community thread from the APG vNext support forum discusses: Disable script execution for the upfiles folder.
About This Topic
If you allow file attachment for your messages, make sure you also disable script execution capability for the ~/upfiles and ~/avatars folder. Disabling scr...
Getting Help with APG vNext
APG vNext is a powerful ASP.NET forum and community platform. For questions related to this topic:
- Browse the Knowledge Base for documented solutions
- Search the community forum for similar threads
- Check the FAQ for common questions and answers
- Review the Installation and Upgrade guides
If you need direct assistance, the support team is active in the community forum.
Disabling Script Execution in the APG vNext Upload Folder
The upload folder (/upfiles/) stores member-uploaded files: images, PDFs, ZIPs, and other attachments. If IIS is configured to execute scripts in this folder, an attacker who uploads a malicious .aspx or .php file could execute arbitrary code on the server. Disabling script execution in this folder is a critical security step for any public-facing APG vNext installation.
Method 1: IIS Handler Mappings (Recommended)
- Open IIS Manager
- Navigate to your site -> upfiles folder
- Double-click "Handler Mappings"
- In the Actions panel, click "Edit Feature Permissions"
- Uncheck "Execute" and "Script" - keep only "Read"
- Click OK
Method 2: web.config in the upfiles Folder
<!-- /upfiles/web.config -->
<configuration>
<system.webServer>
<handlers>
<!-- Remove ALL handler mappings -->
<clear />
<!-- Add only static file serving -->
<add name="StaticFile"
path="*"
verb="GET,HEAD"
modules="StaticFileModule"
resourceType="File" />
</handlers>
<!-- Block access to executable extensions -->
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".aspx" allowed="false" />
<add fileExtension=".asp" allowed="false" />
<add fileExtension=".php" allowed="false" />
<add fileExtension=".exe" allowed="false" />
<add fileExtension=".dll" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Verify the Restriction
# Test: try to access a .aspx file in upfiles - should return 404 or 403
curl -I https://yourforum.com/upfiles/test.aspx
# Expected: HTTP/1.1 404 or 403 (NOT 200)
Additional Security Hardening for the Upload Folder
Disabling script execution is the most important security step, but it should be combined with other measures to fully protect the upload folder:
Restrict Allowed File Extensions
Configure APG vNext to only accept specific file extensions for upload. Any file type not on the allowlist is rejected before it is saved to disk:
<add key="APG.Upload.AllowedExtensions"
value=".jpg,.jpeg,.png,.gif,.webp,.pdf,.docx,.xlsx,.zip" />
<!-- Never allow: .aspx, .asp, .php, .exe, .dll, .bat, .ps1, .sh -->
Randomise Upload File Names
Replacing the original file name with a GUID prevents attackers from guessing uploaded file URLs and prevents overwriting existing files with crafted file names:
<add key="APG.Upload.RandomizeFileNames" value="true" />
<!-- Uploaded file becomes: /upfiles/a3f7b2c1-d8e4-4f9a-b6d2-1c0e8a7f5b3d.jpg
instead of: /upfiles/exploit.jpg -->
Validate File Content, Not Just Extension
Attackers can rename a PHP file to image.jpg and bypass extension-based filtering. APG vNext performs magic-byte validation to verify the file content matches the declared type:
<add key="APG.Upload.ValidateMagicBytes" value="true" />
<!-- APG vNext reads the file header bytes to confirm:
- .jpg starts with FF D8 FF
- .png starts with 89 50 4E 47
- .gif starts with 47 49 46 38
Files that don't match are rejected regardless of extension -->
IIS Antivirus Scanning of Uploaded Files
For high-security forums (corporate intranets, healthcare communities, financial services), consider configuring IIS to run uploaded files through an antivirus scan before they are saved. Windows Defender's real-time protection automatically scans new files in monitored directories. Ensure the /upfiles/ directory is within Windows Defender's monitored paths and that the IIS app pool identity has the necessary permissions for Defender to scan files written by it.
Content Security Policy for the Upload Directory
Even with script execution disabled, uploaded HTML files could be served as content with active JavaScript if the browser treats them as HTML. Prevent this with a Content-Security-Policy header that disables script execution for the upload folder entirely:
<!-- /upfiles/web.config -->
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy"
value="default-src 'none'; img-src 'self'; frame-ancestors 'none'" />
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
Monitoring for Unauthorised Upload Attempts
Even with all the above protections in place, it is important to monitor for upload attempts that are being blocked, as persistent attempts indicate an active attack against your forum. APG vNext logs all rejected file upload attempts with the member ID, IP address, and rejected file extension. Review this log regularly, and configure automatic IP banning for members who make three or more rejected upload attempts within a 24-hour period — this automatically blocks accounts being used to probe for upload vulnerabilities without requiring manual intervention for each incident.
Testing Your Hardening Configuration
After applying all hardening measures, run a final verification test to confirm everything is working correctly. Attempt to upload a renamed executable file (e.g., test.aspx renamed to test.jpg) through the normal APG vNext upload interface as a test member account. The upload should fail with a content type validation error before the file touches disk. Then verify that directly accessing a known URL in the /upfiles/ directory with an .aspx extension returns a 404 or 403 status code rather than executing. Document the results of this test and schedule it as a recurring quarterly security check to ensure the protections remain intact after future APG vNext upgrades or IIS configuration changes.
Related Resources
- Forum Security Best Practices
- IIS Trust Level Configuration
- Image Upload Configuration
- Knowledge Base
Looking for more help? Browse the support forum or check the Knowledge Base.