By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,047 Members | 1,253 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,047 IT Pros & Developers. It's quick & easy.

Letting people upload files to web accessible area

P: n/a
Hello,

I'm currently making a CMS for my company, and in the CMS, the user
has the possibility to upload any file to a documents folder - both
for having a document archive and uploading pdf / doc / ppt etc files
that people who visits the site the CMS generates can download.

As the system will be used by many different people, it's possible
that some people will try to exploit this - by for example uploading a
php file with passthru("rm -rf /").

Currently, I'm blocking php/cgi/pl/php3/.htaccess files (by file
name/extension) - but its very likely that there is lots of ways that
I haven't thought about that people can exploit the system.

People can also upload files into a MySQL database (for non-public
accessible files), but I would prefer that the publically available
files are stored as usual files for performance reasons.

The system will be used on a variety of servers - probably both Linux
and Windows.

Thanks in advance for any help!
Eivind Lie Nitter
Jul 17 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
On Fri, 17 Oct 2003 03:06:15 -0700, Eivind Lie Nitter hammered his head on
the keyboard and somehow managed to type:
I'm currently making a CMS for my company, and in the CMS, the user
has the possibility to upload any file to a documents folder - both
for having a document archive and uploading pdf / doc / ppt etc files
that people who visits the site the CMS generates can download.

As the system will be used by many different people, it's possible
that some people will try to exploit this - by for example uploading a
php file with passthru("rm -rf /").


How about uploads go in to a folder called /uploads.

In the /uploads folder put a .htaccess file with:

RemoveHandler .php .phtml .php3 (etc)

in it.

Or rename the files as they go up to a random filename, keep that filename
in the database, write a 404 handler for that folder so if they ask for a
filename it looks it up, opens the real filename and passes it through
(thereby stopping them running it on the server)

Cheers,
Andy
Jul 17 '05 #2

P: n/a
Andy Jeffries <ne**@andyjeffries.remove.co.uk> wrote:
On Fri, 17 Oct 2003 03:06:15 -0700, Eivind Lie Nitter hammered his head on
the keyboard and somehow managed to type:
I'm currently making a CMS for my company, and in the CMS, the user
has the possibility to upload any file to a documents folder - both
for having a document archive and uploading pdf / doc / ppt etc files
that people who visits the site the CMS generates can download.

As the system will be used by many different people, it's possible
that some people will try to exploit this - by for example uploading a
php file with passthru("rm -rf /").
How about uploads go in to a folder called /uploads.

In the /uploads folder put a .htaccess file with:

RemoveHandler .php .phtml .php3 (etc)

in it.


I like the idea - however this (and the suggestion under) chains me into
using Apache. I was hoping that the system could've been run on IIS too
(t has, however, not been tested on IIS yet). But I suppose this is
something I have to live with for security's sake. I guess there may
exist a similiar technique for IIS. One thing I especially like about
this is that it doesn't block people from uploading such files.
Or rename the files as they go up to a random filename, keep that filename
in the database, write a 404 handler for that folder so if they ask for a
filename it looks it up, opens the real filename and passes it through
(thereby stopping them running it on the server)


Another good idea :)

Thanks a lot for your time, Andy. I'll probably use the first technique
:)

--
Eivind Lie Nitter
el*@gmx.net
http://ununique.net
Jul 17 '05 #3

P: n/a
On Sun, 19 Oct 2003 00:08:45 +0200, Eivind Lie Nitter hammered his head on
the keyboard and somehow managed to type:
How about uploads go in to a folder called /uploads.

In the /uploads folder put a .htaccess file with:

RemoveHandler .php .phtml .php3 (etc)

in it.
I like the idea - however this (and the suggestion under) chains me into
using Apache. I was hoping that the system could've been run on IIS too
(t has, however, not been tested on IIS yet). But I suppose this is
something I have to live with for security's sake. I guess there may
exist a similiar technique for IIS. One thing I especially like about
this is that it doesn't block people from uploading such files.


The one below can certainly be done on IIS (however, I have no experience
of doing it):

http://www.highcontext.com/Articles/howto/404.php

I definitely don't know how to disable PHP parsing within a folder.

Also, using the above method, ensure your upload script won't allow them
to upload a new .htaccess file ;-)
Or rename the files as they go up to a random filename, keep that filename
in the database, write a 404 handler for that folder so if they ask for a
filename it looks it up, opens the real filename and passes it through
(thereby stopping them running it on the server)


Another good idea :)

Thanks a lot for your time, Andy.


No problem.
I'll probably use the first technique :)


Good luck and post back if you have problems.

Cheers,
Andy
Jul 17 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.