Jump to content

Suggested File Types to Ban?


Warptweet

Recommended Posts

Today, I had no current-date backups of two of my websites.

Today, I had a short and incomplete list of banned file types for my upload scripts.

Today, I had to resort to out-dated or incomplete BETA's of two of my sites.

Today, two of my sites were hacked.

 

Hahaha, security doesn't matter?

-Team NOBODY CARES

 

Today, I hurt. And the child services division couldn't help. Even if they could, it would take them exactly 21 minutes to get here.

 

My uploader was vulnerable.

I banned .php files, but forgot to ban .php3, .php4, .php5, and .php6 files.

What file types should I ban to maximize security? www.uploadpoints.com

Link to comment
Share on other sites

Hi,

why don't you use the concept of whitelist filtering approche. whitelist filtering is much more restrictive, yet it affords you the ability to accept only the input you expects to receive. Instead of identifying data that is unacceptable, a whitelist identifies only the data that is acceptable.

 

regards

 

 

Link to comment
Share on other sites

How are the uploaded files executed? It seems to me it is just a matter of "they upload a php file, then request through apache, and the file is executed"... If so, anything that Apache is able to execute should be disallowed. To ensure you cover everything, simply check your server config. Even better would be to have the files served up by a different instance of Apache, without php, without .htacess, without anything but the basic ability to serve up files, really.

 

Maybe I'm missing something, because this seems too obvious.

Link to comment
Share on other sites

If all of your uploads are under a certain directory, you could set PHP (and what not) to not parse in that directory (atleast I think that's possible and fairly simple... never needed to do it my self).

 

You could always make a script that passes files to the user...

 

get_file.php?file=1...  Then, it doesn't matter what file type 1 is; it's harmless.  Only problem with this method is that it's not a static file.  In other words, you have to read the file and output it to the browser through PHP every time someone downloads a file.  (Well, Apache would have to read the file out anyway, but PHP has to read it to Apache [to simplify it], and then Apache sends it to the client, so it's an extra step.)

Link to comment
Share on other sites

My site is a general file host for any file type that isn't banned.

 

It already has forced-download abilities -- however, you can easily just direct-link to it.

Luckily for me, the hacker who did it was stupid enough to try and upload a .php7 file, which isn't banned (and didn't work.). After the very first incident, I added IP logging for all uploads. He won't be able to even view the front page of any of my sites for as long as his IP is the same.

Link to comment
Share on other sites

  • 2 weeks later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.