Server Security With Upload Scripts

[jd307]

Hi everyone!  I am sorry if this has been asked before, but I have trawled through a few dozen posts from the search facility and didn't find anything that was quite relevant.

 

Basically, I am planning to create a service that allows users to sign up and get free web hosting.  Now, this is only really a personal project, so on that basis it doesn't matter too much on the outcome of this discussion; though I would like to be able to offer a good service *just in case* it does take off and get some success.

 

Now, for this service, I would like to allow PHP files to be uploaded (giving PHP support and possibly including MySQL databse support).  My concern here, as you may have already guessed, is the security issues related to allowing the general public to be able to upload potentially malicious PHP scripts to my web server. 

 

I have looked on the Internet a little and haven't found much useful information, so I was wondering if anyone could give any advice, ideas or any places I can find some reading material that could help me here.  Of course, I don't want to find an empty web server one day or find that some illegal porn ring or something has appear on my server beacuse I have left security weaknesses due to this.

 

If it seems like I this is going to be more hassle than it is worth, I will simply ban the PHP uploads and have it as a simple HTML based web hosting service.

 

Thanks in advance for any advice or info you can share!

[Maq]

I have looked on the Internet a little and haven't found much useful information, so I was wondering if anyone could give any advice, ideas or any places I can find some reading material that could help me here.

 

Really?  That's a little hard to believe...

 

phpfreaks:

 

http://www.phpfreaks.com/forums/index.php/topic,262872.0.html

 

http://www.phpfreaks.com/forums/index.php/topic,259593.0.html

 

http://www.phpfreaks.com/forums/index.php/topic,262800.0.html

 

net:

 

http://php.about.com/od/advancedphp/ss/php_file_upload.htm

 

http://www.tizag.com/phpT/fileupload.php

 

http://www.hotscripts.com/category/php/scripts-programs/file-manipulation/upload-systems/

(3rd party)

[mikesta707]

well, even with HTML, people could insert harmful javascript. If you really don't know where to star, I suggest you start with a much smaller project than a web hosting website. As Maq has said, check out those upload tutorials.

 

For security, What I would do is, before outputting any php page, search through it with a function, and have a forbidden function array or forbidden mysql array and "cleanse" the page before it is output. Again, if you are just starting with learning how to handle uploads, something like this can be very overwhelming (and I doubt that my way is the best way, or even a particularly good way, as I don't have much experience with what your talking about)

 

best of luck

[Maq]

Here are a couple good ideas for some security precautions:

 

http://php.about.com/od/advancedphp/qt/upload_security.htm

[jd307]

Hi thanks for the replies.

 

Umm, from reading those replies, I dont think I was very clear.  I am only talking about the security implications.  I know how to create an upload script, and I know certain amounts of PHP.  This project, to code, isn't going to be all that difficult for me.

 

So, on that basis, thanks for the bit of info Mikesta707, but I do not like Maq's attitude as I have not asked how I create an upload script.  I have infact read most of those articles a while ago and are therefore no use to this situation as they do not give me any information as such on things to do to make it secure if I allow people to upload scripts, etc. to my server.  This project is partially about learning security features and techniques as I can code already but have never really done anything that requires security as such.

 

I will look into creating the forbidden functions you mention mikesta707, but if in the mean time anyone has any further ideas they would be able to share I would be greatful.

[mikesta707]

ahh ok, I was under the impression that you didn't know anything about upload scripts.

 

You could make your own API (like the Facebook API) and make user's use that for MySQL functions and other php functions that effect the server, and then forbid the built-in functions from working

 

good luck

[jd307]

Thanks Maq... I have already read that article, but it is some good advice to begin with.

 

I like your API idea Mikesta.

 

Thanks for the info.  I have just come across a few websites that have some more details information on security so i am going to read through them for now and see if I find anything suitable. 

[Maq]

Umm, from reading those replies, I dont think I was very clear.

 

Correct.  A clear question will receive a clear response.  I apologize for the misunderstanding, I think my attitude was adequate for my initial understanding of your question/concern.  Now that we know you're having a troubling concern with the security aspect, we can give clearcut help.

 

Have you read the article I provided in my previous post?  There are a few strong security precautions you can take.  I would primarily focus on 2, 3, and 4. 

 

2) Restriction: Check the mime-type and file extension and only allow certain types to be uploaded.  (In your case you are going to have to accept .php, and whatever else you need, so options 3 & 4 will be necessary)

3) Renaming: Rename files to prevent malicious code from executing on your server,

4) Permissions: Certain files should be chmod'd and chown'd properly.

 

Hope this helps, good luck.

[jd307]

I have indeed read your article.  I haven't used methods like CHMOD and what not for a while, so I am going to read up on those again.  Thank you.  Sorry for our missunderstanding... I work with a lot of smarta**e types so I reacted inappropriatly.

 

Hopefully this project will go ahead as planned and I hope to start it soon, but not before I fully understand all of the security implications that will arise from giving users any kind of access to my web server.

[The Little Guy]

Hi, I have a free php hosting service (http://hostbox.us)

 

I allow users to upload php files.

 

First, what I did was had my host turn on wildcard DNS.

Next, I had to find a way to create subdomains for my users, so I searched around and I had to make an .htaccess file:

 

Options +FollowSymLinks

RewriteEngine On
RewriteRule ^subdomains/(.*)/(.*) http://$1.example.com/$2 [r=301,nc]

# Fix missing trailing slashes.
RewriteCond %{HTTP_HOST} !^(www\.)?example\.com$ [NC]
RewriteCond %{HTTP_HOST} ^(www\.)?([^\.]+)\.example\.com$ [NC]
RewriteCond %{DOCUMENT_ROOT}/%2%{REQUEST_URI}/ -d
RewriteRule [^/]$ %{REQUEST_URI}/ [R=301,L]

# Rewrite sub domains.
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteCond %{HTTP_HOST} !^(www\.)?example\.com$ [NC]
RewriteCond %{HTTP_HOST} ^(www\.)?([^\.]+)\.example\.com$ [NC]

#Choose one of the following lines:
RewriteRule ^(.*)$ subdomains/%2/$1 [QSA,L]
#RewriteRule ^(.*)$ viewSubdomain.php?subdomain=%2&file=$1 [QSA,L]

 

After that you will need to redirect each user through viewSubdomain.php (nobody will know that that is where they have been redirected as it doesn't show up in the Address bar).

 

To view the full tutorial I wrote about this, view this page: http://wiki.dreamhost.com/Dynamic_Subdomains

 

Anyways, I haven't had any members upload bad scripts to do anything "Bad". I did though have some members upload proxy's which I did delete, but other than that nothing bad has happened yet, and it's been about a year now.

[Maq]

I have indeed read your article.  I haven't used methods like CHMOD and what not for a while, so I am going to read up on those again.  Thank you.  Sorry for our missunderstanding... I work with a lot of smarta**e types so I reacted inappropriatly.

 

No worries. 

 

Hopefully this project will go ahead as planned and I hope to start it soon, but not before I fully understand all of the security implications that will arise from giving users any kind of access to my web server.

 

Your best bet is to actually create the script, implement what you think are proper security precautions, and post it in the Beta Test Your Stuff! section.  People will give you insight on leaks, holes, and other issues you have in your script.  Good luck.

[jd307]

Ah nice!  I wasn't aware of the Beta testing section.  I will do just that.  Thanks mate!