Looktrne Posted October 3, 2013 Share Posted October 3, 2013 I wrote a script that allows site users to upload a file and it spits out a link for them to share so others can download the file. I noticed some EXE files being uploaded but when I navigate to the them in my browser they just pop up as downloads. I also did htaccess to prevent script execution in this folder. so I need some opinions on if I am safe? or could someone possibly execute something in my upload folder?thanks for any thoughts Paul Quote Link to comment https://forums.phpfreaks.com/topic/282681-security-risk/ Share on other sites More sharing options...
andrew_biggart Posted October 3, 2013 Share Posted October 3, 2013 Why are you even allowing exe files to be uploaded? This can be avoiding easily... Quote Link to comment https://forums.phpfreaks.com/topic/282681-security-risk/#findComment-1452441 Share on other sites More sharing options...
Looktrne Posted October 5, 2013 Author Share Posted October 5, 2013 People may need to share exe files using the site. I do not want to block any files only execution of all scripts Quote Link to comment https://forums.phpfreaks.com/topic/282681-security-risk/#findComment-1452712 Share on other sites More sharing options...
Clarding Posted October 5, 2013 Share Posted October 5, 2013 You are safe from anyone executing rogue exe files on your server because all the exe files can do is offer the user to download them, and you're ok with that. Please also make sure that .com, .bat, .cmd etc also offer themselves for download - as long as the file is offered for download, then it cannot be executed on your server by a web browsing user. However, I'd prefer (and this is what I do on my site) is to permit zip files and insist that all exes etc are zipped up first (by filtering the file type at the point of upload). Quote Link to comment https://forums.phpfreaks.com/topic/282681-security-risk/#findComment-1452717 Share on other sites More sharing options...
vinny42 Posted October 5, 2013 Share Posted October 5, 2013 as long as the file is offered for download, then it cannot be executed on your server by a web browsing user. That is only true if the webserver cannot execute files (which meanss PHP's exec() and system() must be blocked) and the webserver has no way of placing any files at any location where the server itself might execute it. A famous example is a system where MySQL is running under root (because the admin doesn't know the risk), and the webserver has a simple SQL injection problem (which are frighteningly common). Al you have to do is SELECT INTO OUTFILE "/root/.login" "adduser hacker"; and the next time the root logs in, the system is hacked. So no, just because the file is uploaded to a webserver which s configured to offer downloads doesn't mean you're safe, not by any strech of the imagination. Ditto for ZIP files by the way, because your server has programs to unzip them. if you are going to allow users to upload files you have to make sure that the location where they are stored is utterly impossible to get to from the filesystem, such as a database. Quote Link to comment https://forums.phpfreaks.com/topic/282681-security-risk/#findComment-1452724 Share on other sites More sharing options...
Clarding Posted October 5, 2013 Share Posted October 5, 2013 Yes, vinny42 is absolutely right - I stand corrected! Very well said Vinny42 and we can certainly learn from those wise comments. Quote Link to comment https://forums.phpfreaks.com/topic/282681-security-risk/#findComment-1452726 Share on other sites More sharing options...
Looktrne Posted October 8, 2013 Author Share Posted October 8, 2013 Just curious if this .htaccess access file is protecting this folder? <FilesMatch "\.(php|pl|py|jsp|asp|htm|shtml|sh|cgi)$"> ForceType text/plain <Files /cleanup.php> ForceType application/x-httpd-php SetHandler application/x-httpd-php </Files> </FilesMatch> how can I check if the folder can be accessed by the database or server etc? Quote Link to comment https://forums.phpfreaks.com/topic/282681-security-risk/#findComment-1453110 Share on other sites More sharing options...
vinny42 Posted October 8, 2013 Share Posted October 8, 2013 htaccess *only* controls what the webserver itself can do with a folder or file. It has no control over what PHP or any other process on the server does with them. In short: if it's not an HTTP request then htaccess has no control over it. Quote Link to comment https://forums.phpfreaks.com/topic/282681-security-risk/#findComment-1453115 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.