Suggested File Types to Ban?

[Warptweet]

Today, I had no current-date backups of two of my websites.

Today, I had a short and incomplete list of banned file types for my upload scripts.

Today, I had to resort to out-dated or incomplete BETA's of two of my sites.

Today, two of my sites were hacked.

 

Hahaha, security doesn't matter?

-Team NOBODY CARES

 

Today, I hurt. And the child services division couldn't help. Even if they could, it would take them exactly 21 minutes to get here.

 

My uploader was vulnerable.

I banned .php files, but forgot to ban .php3, .php4, .php5, and .php6 files.

What file types should I ban to maximize security? www.uploadpoints.com

[keeB]

Ouch.

[OOP]

Hi,

why don't you use the concept of whitelist filtering approche. whitelist filtering is much more restrictive, yet it affords you the ability to accept only the input you expects to receive. Instead of identifying data that is unacceptable, a whitelist identifies only the data that is acceptable.

 

regards

 

 

[Warptweet]

A whiltelist may be too difficult.

 

Or -- would setting the file permissions to 0000, or perhaps just read (no writing or executing), work?

[keeB]

Doesn't PHP only required R access?

[corbin]

That is correct, PHP only requires read since the php binary actually executes it.

 

What kind of uploads are you allowing?  An image gallery?  A general file host?  Or what?

[keeB]

From his site it looks like anything up to 200MB

[448191]

How are the uploaded files executed? It seems to me it is just a matter of "they upload a php file, then request through apache, and the file is executed"... If so, anything that Apache is able to execute should be disallowed. To ensure you cover everything, simply check your server config. Even better would be to have the files served up by a different instance of Apache, without php, without .htacess, without anything but the basic ability to serve up files, really.

 

Maybe I'm missing something, because this seems too obvious.

[Daniel0]

http://www.phpfreaks.com/forums/index.php/topic,95433.0.html

[448191]

Hmyeah... One could do that, but if you manage your own server, I would let Apache handle it.

[corbin]

If all of your uploads are under a certain directory, you could set PHP (and what not) to not parse in that directory (atleast I think that's possible and fairly simple... never needed to do it my self).

 

You could always make a script that passes files to the user...

 

get_file.php?file=1...  Then, it doesn't matter what file type 1 is; it's harmless.  Only problem with this method is that it's not a static file.  In other words, you have to read the file and output it to the browser through PHP every time someone downloads a file.  (Well, Apache would have to read the file out anyway, but PHP has to read it to Apache [to simplify it], and then Apache sends it to the client, so it's an extra step.)

[Warptweet]

My site is a general file host for any file type that isn't banned.

 

It already has forced-download abilities -- however, you can easily just direct-link to it.

Luckily for me, the hacker who did it was stupid enough to try and upload a .php7 file, which isn't banned (and didn't work.). After the very first incident, I added IP logging for all uploads. He won't be able to even view the front page of any of my sites for as long as his IP is the same.

[keeB]

He was probably using a proxy, so all he has to do is switch proxies.

[Daniel0]

It already has forced-download abilities -- however, you can easily just direct-link to it.

 

Store the files outside document root.

[FIREBALL5]

Wait, I have a general uploader too, that I made and I tried uploading .php4 and .php5 and they didn't work. .php3 did work though, so, I'm not sure how you got hacked. But yeah, I knew about .php3.