WebApp Sec mailing list archives
Re: Files upload security considerations
From: ed <edvuln () s5h net>
Date: Sat, 11 Nov 2006 16:36:42 +0000
On Fri, 10 Nov 2006 14:06:43 +1300 Peter Butler <peter.butler () 141 com> wrote:
ideally, remove execute/write permissions to the file, so it's just 444. ensure the file is owned by nobody.If you are running Linux a good option is to put user-uploaded files into a partition mounted with the "noexec" option. This provides some protection against someone uploading a malicious executable (although I don't think it will protect against a malicious PHP script, given that PHP scripts don't need execute permission to be run by the web server).
this is only mod_php/mod_perl. for cgi exec i believe u+x, g+x, o+x (111+) might be required.
using http to upload is probably the most reliable method of uploading data, however, it's quite hard to upload large directories unless the user packs everything into a tar/zip and the upload processor is zip/tar aware.Be aware that processing the file in any way (gzip/zip, resizing images, etc) exposes you to vulnerabilities that may exist in the library or program that you use to do the processing. For example there were recently posts to the bugtraq mailing list about vulnerabilities in gzip.
yes, other things too like adding it to a db with addslashes, pulling it out and then putting it back into the db, but forgetting to run addslashes again could pose a problem. -- Regards, Ed :: http://www.s5h.net :%s/\t/ /g :: proud unix system person :%s/Open Source/Free Software/g ------------------------------------------------------------------------- Sponsored by: Watchfire It's been reported that 75% of websites are vulnerable to attack. That's because hackers know to exploit weaknesses in web applications. Traditional approaches to securing these assets no longer apply. Download the "Addressing Challenges in Application Security" whitepaper today, and see for yourself. https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008YTU --------------------------------------------------------------------------
Current thread:
- Files upload security considerations Alexander Berezhnoy (Nov 09)
- Re: Files upload security considerations ed (Nov 09)
- Re: Files upload security considerations Peter Butler (Nov 11)
- Re: Files upload security considerations ed (Nov 13)
- Re: Files upload security considerations Peter Butler (Nov 11)
- Re: Files upload security considerations Cleiton Martins (Nov 09)
- <Possible follow-ups>
- Re: Files upload security considerations c0redump (Nov 09)
- Re: Files upload security considerations c0redump (Nov 09)
- Re: Files upload security considerations Hemil (Nov 11)
- Re: Files upload security considerations ed (Nov 09)