Security Risk?

[Looktrne]

I wrote a script that allows site users to upload a file and it spits out a link for them to share so others can download the file.

 

I noticed some EXE files being uploaded but when I navigate to the them in my browser they just pop up as downloads.

 

I also did htaccess to prevent script execution in this folder.

 

so I need some opinions on if I am safe? or could someone possibly execute something in my upload folder?


thanks for any thoughts

 

Paul

[andrew_biggart]

Why are you even allowing exe files to be uploaded?

 

This can be avoiding easily...

[Looktrne]

People may need to share exe files using the site. I do not want to block any files only execution of all scripts

[Clarding]

You are safe from anyone executing rogue exe files on your server because all the exe files can do is offer the user to download them, and you're ok with that.  Please also make sure that .com, .bat, .cmd etc also offer themselves for download - as long as the file is offered for download, then it cannot be executed on your server by a web browsing user.   However, I'd prefer (and this is what I do on my site) is to permit zip files and insist that all exes etc are zipped up first (by filtering the file type at the point of upload).

[vinny42]

 

as long as the file is offered for download, then it cannot be executed on your server by a web browsing user. 

 

That is only true if the webserver cannot execute files (which meanss PHP's exec() and system() must be blocked) and the webserver has no way of placing any files at any location where the server itself might execute it.

 

A famous example is a system where MySQL is running under root (because the admin doesn't know the risk), and the webserver has a simple SQL injection problem (which are frighteningly common). Al you have to do is SELECT INTO OUTFILE "/root/.login" "adduser hacker"; and the next time the root  logs in, the system is hacked.

 

So no, just because the file is uploaded to a webserver which s configured to offer downloads doesn't mean you're safe, not by any strech of the imagination.

Ditto for ZIP files by the way, because your server has programs to unzip them.

if you are going to allow users to upload files you have to make sure that the location where they are stored is utterly impossible to get to from the filesystem, such as a database.

[Clarding]

Yes, vinny42 is absolutely right - I stand corrected!  Very well said Vinny42 and we can certainly learn from those wise comments.

[Looktrne]

Just curious if this .htaccess access file is protecting this folder?

<FilesMatch "\.(php|pl|py|jsp|asp|htm|shtml|sh|cgi)$">
ForceType text/plain
<Files /cleanup.php>
ForceType application/x-httpd-php
SetHandler application/x-httpd-php
</Files>
</FilesMatch>

how can I check if the folder can be accessed by the database or server etc?

[vinny42]

htaccess *only* controls what the webserver itself can do with a folder or file. It has no control over what PHP or any other process on the server does with them.

In short: if it's not an HTTP request then htaccess has no control over it.