Looktrne Posted September 22, 2012 Share Posted September 22, 2012 I have a script that allows for anyone to upload a file to my server using this method move_uploaded_file($_FILES["file"]["tmp_name"], "m/" . $newname); it lets the user select a file for upload and then uploads the file in a directory named "m" once the file upload it provides a link so they can share and anyone can download the file. can I make this safe using .htaccess premissions? I want them to be able to upload and download EXE files but not execute on my server. Thanks for any tips on how to make this safe? Paul Quote Link to comment https://forums.phpfreaks.com/topic/268647-file-upload-script-safety/ Share on other sites More sharing options...
Looktrne Posted September 22, 2012 Author Share Posted September 22, 2012 In simpler terms. if I set permissions on "m" directory can I safely allow executable scripts to be uploaded to this directory without worry they can hack my server? If so what permissions do you recommend? thanks Paul Quote Link to comment https://forums.phpfreaks.com/topic/268647-file-upload-script-safety/#findComment-1380011 Share on other sites More sharing options...
Christian F. Posted September 22, 2012 Share Posted September 22, 2012 I very much doubt that, as it depends upon what else you're doing to secure your application. Also, I suspect that you'll want to give your users the ability to download the files again, which means you'll have to write a download wrapper if you disallow browsing. (Browsing will execute any files that can be executed by the server.) To start with I'd recommend that you read this article on securing upload forms. Even though it's not exactly what you want, it is a start. You will also want to write that download wrapper, just to be on the safe side. Quote Link to comment https://forums.phpfreaks.com/topic/268647-file-upload-script-safety/#findComment-1380020 Share on other sites More sharing options...
Adam Posted September 22, 2012 Share Posted September 22, 2012 Just to be sure, is your production server Windows-based? Quote Link to comment https://forums.phpfreaks.com/topic/268647-file-upload-script-safety/#findComment-1380128 Share on other sites More sharing options...
coded4u Posted September 23, 2012 Share Posted September 23, 2012 Get the users to put the.exe file into a zip/RAR and upload it that way? Once a user downloads it they can always un-zip it the folder before installing. I wouldn't allow anyone to upload .exe files on my host anyway. Quote Link to comment https://forums.phpfreaks.com/topic/268647-file-upload-script-safety/#findComment-1380140 Share on other sites More sharing options...
Christian F. Posted September 23, 2012 Share Posted September 23, 2012 That wouldn't confer any real security, I'm afraid, C4U. All it would do is to require the users to have to do some more work, for no apparent benefit on their end. Also, zip/rar files can be made executable quite easily, and even if the file is called "something.zip" doesn't have to mean that it's actually a zip-file. Could be a renamed executable, which still can get executed on the server. Writing a wrapper that serves the file, and saving them outside of the server root, is the proper course of action. That way you've ensured that an attacker must have access to the server OS itself, before he's able to execute the files. In which case it's game over already, and no amount of security you've added to your PHP scripts is going to matter. Quote Link to comment https://forums.phpfreaks.com/topic/268647-file-upload-script-safety/#findComment-1380256 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.