WebApp Sec mailing list archives

Re: Files upload security considerations

From: ed <edvuln () s5h net>
Date: Sat, 11 Nov 2006 16:36:42 +0000

On Fri, 10 Nov 2006 14:06:43 +1300
Peter Butler <peter.butler () 141 com> wrote:


ideally, remove execute/write permissions to the file, so it's just
444. ensure the file is owned by nobody.

If you are running Linux a good option is to put user-uploaded files 
into a partition mounted with the "noexec" option.  This provides some

protection against someone uploading a malicious executable (although
I  don't think it will protect against a malicious PHP script, given
that  PHP scripts don't need execute permission to be run by the web
server).


this is only mod_php/mod_perl. for cgi exec i believe u+x, g+x, o+x
(111+) might be required.

using http to upload is probably the most reliable method of
uploading data, however, it's quite hard to upload large directories
unless the user packs everything into a tar/zip and the upload
processor is zip/tar aware.

Be aware that processing the file in any way (gzip/zip, resizing
images,  etc) exposes you to vulnerabilities that may exist in the
library or  program that you use to do the processing.  For example
there were  recently posts to the bugtraq mailing list about
vulnerabilities in gzip.


yes, other things too like adding it to a db with addslashes, pulling it
out and then putting it back into the db, but forgetting to run
addslashes again could pose a problem.


-- 
Regards, Ed                      :: http://www.s5h.net
:%s/\t/  /g                      :: proud unix system person
:%s/Open Source/Free Software/g

-------------------------------------------------------------------------
Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack. That's 
because hackers know to exploit weaknesses in web applications. 
Traditional approaches to securing these assets no longer apply. 
Download the "Addressing Challenges in Application Security" whitepaper 
today, and see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008YTU
--------------------------------------------------------------------------

Current thread:

Files upload security considerations Alexander Berezhnoy (Nov 09)
- Re: Files upload security considerations ed (Nov 09)
  - Re: Files upload security considerations Peter Butler (Nov 11)
    - Re: Files upload security considerations ed (Nov 13)
- Re: Files upload security considerations Cleiton Martins (Nov 09)
- <Possible follow-ups>
- Re: Files upload security considerations c0redump (Nov 09)
- Re: Files upload security considerations c0redump (Nov 09)
  - Re: Files upload security considerations Hemil (Nov 11)