Warptweet Posted June 9, 2008 Share Posted June 9, 2008 Today, I had no current-date backups of two of my websites. Today, I had a short and incomplete list of banned file types for my upload scripts. Today, I had to resort to out-dated or incomplete BETA's of two of my sites. Today, two of my sites were hacked. Hahaha, security doesn't matter? -Team NOBODY CARES Today, I hurt. And the child services division couldn't help. Even if they could, it would take them exactly 21 minutes to get here. My uploader was vulnerable. I banned .php files, but forgot to ban .php3, .php4, .php5, and .php6 files. What file types should I ban to maximize security? www.uploadpoints.com Quote Link to comment Share on other sites More sharing options...
keeB Posted June 9, 2008 Share Posted June 9, 2008 Ouch. Quote Link to comment Share on other sites More sharing options...
OOP Posted June 9, 2008 Share Posted June 9, 2008 Hi, why don't you use the concept of whitelist filtering approche. whitelist filtering is much more restrictive, yet it affords you the ability to accept only the input you expects to receive. Instead of identifying data that is unacceptable, a whitelist identifies only the data that is acceptable. regards Quote Link to comment Share on other sites More sharing options...
Warptweet Posted June 9, 2008 Author Share Posted June 9, 2008 A whiltelist may be too difficult. Or -- would setting the file permissions to 0000, or perhaps just read (no writing or executing), work? Quote Link to comment Share on other sites More sharing options...
keeB Posted June 9, 2008 Share Posted June 9, 2008 Doesn't PHP only required R access? Quote Link to comment Share on other sites More sharing options...
corbin Posted June 9, 2008 Share Posted June 9, 2008 That is correct, PHP only requires read since the php binary actually executes it. What kind of uploads are you allowing? An image gallery? A general file host? Or what? Quote Link to comment Share on other sites More sharing options...
keeB Posted June 9, 2008 Share Posted June 9, 2008 From his site it looks like anything up to 200MB Quote Link to comment Share on other sites More sharing options...
448191 Posted June 9, 2008 Share Posted June 9, 2008 How are the uploaded files executed? It seems to me it is just a matter of "they upload a php file, then request through apache, and the file is executed"... If so, anything that Apache is able to execute should be disallowed. To ensure you cover everything, simply check your server config. Even better would be to have the files served up by a different instance of Apache, without php, without .htacess, without anything but the basic ability to serve up files, really. Maybe I'm missing something, because this seems too obvious. Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted June 9, 2008 Share Posted June 9, 2008 http://www.phpfreaks.com/forums/index.php/topic,95433.0.html Quote Link to comment Share on other sites More sharing options...
448191 Posted June 9, 2008 Share Posted June 9, 2008 Hmyeah... One could do that, but if you manage your own server, I would let Apache handle it. Quote Link to comment Share on other sites More sharing options...
corbin Posted June 9, 2008 Share Posted June 9, 2008 If all of your uploads are under a certain directory, you could set PHP (and what not) to not parse in that directory (atleast I think that's possible and fairly simple... never needed to do it my self). You could always make a script that passes files to the user... get_file.php?file=1... Then, it doesn't matter what file type 1 is; it's harmless. Only problem with this method is that it's not a static file. In other words, you have to read the file and output it to the browser through PHP every time someone downloads a file. (Well, Apache would have to read the file out anyway, but PHP has to read it to Apache [to simplify it], and then Apache sends it to the client, so it's an extra step.) Quote Link to comment Share on other sites More sharing options...
Warptweet Posted June 10, 2008 Author Share Posted June 10, 2008 My site is a general file host for any file type that isn't banned. It already has forced-download abilities -- however, you can easily just direct-link to it. Luckily for me, the hacker who did it was stupid enough to try and upload a .php7 file, which isn't banned (and didn't work.). After the very first incident, I added IP logging for all uploads. He won't be able to even view the front page of any of my sites for as long as his IP is the same. Quote Link to comment Share on other sites More sharing options...
keeB Posted June 10, 2008 Share Posted June 10, 2008 He was probably using a proxy, so all he has to do is switch proxies. Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted June 10, 2008 Share Posted June 10, 2008 It already has forced-download abilities -- however, you can easily just direct-link to it. Store the files outside document root. Quote Link to comment Share on other sites More sharing options...
FIREBALL5 Posted June 20, 2008 Share Posted June 20, 2008 Wait, I have a general uploader too, that I made and I tried uploading .php4 and .php5 and they didn't work. .php3 did work though, so, I'm not sure how you got hacked. But yeah, I knew about .php3. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.