Jump to content

Recommended Posts

I wrote a script that allows site users to upload a file and it spits out a link for them to share so others can download the file.

 

I noticed some EXE files being uploaded but when I navigate to the them in my browser they just pop up as downloads.

 

I also did htaccess to prevent script execution in this folder.

 

so I need some opinions on if I am safe? or could someone possibly execute something in my upload folder?


thanks for any thoughts

 

Paul

Link to comment
https://forums.phpfreaks.com/topic/282681-security-risk/
Share on other sites

You are safe from anyone executing rogue exe files on your server because all the exe files can do is offer the user to download them, and you're ok with that.  Please also make sure that .com, .bat, .cmd etc also offer themselves for download - as long as the file is offered for download, then it cannot be executed on your server by a web browsing user.   However, I'd prefer (and this is what I do on my site) is to permit zip files and insist that all exes etc are zipped up first (by filtering the file type at the point of upload).

Link to comment
https://forums.phpfreaks.com/topic/282681-security-risk/#findComment-1452717
Share on other sites

 


as long as the file is offered for download, then it cannot be executed on your server by a web browsing user

 

That is only true if the webserver cannot execute files (which meanss PHP's exec() and system() must be blocked) and the webserver has no way of placing any files at any location where the server itself might execute it.

 

A famous example is a system where MySQL is running under root (because the admin doesn't know the risk), and the webserver has a simple SQL injection problem (which are frighteningly common). Al you have to do is SELECT INTO OUTFILE "/root/.login" "adduser hacker"; and the next time the root  logs in, the system is hacked.

 

So no, just because the file is uploaded to a webserver which s configured to offer downloads doesn't mean you're safe, not by any strech of the imagination.

Ditto for ZIP files by the way, because your server has programs to unzip them.

if you are going to allow users to upload files you have to make sure that the location where they are stored is utterly impossible to get to from the filesystem, such as a database.

Link to comment
https://forums.phpfreaks.com/topic/282681-security-risk/#findComment-1452724
Share on other sites

Just curious if this .htaccess access file is protecting this folder?

<FilesMatch "\.(php|pl|py|jsp|asp|htm|shtml|sh|cgi)$">
ForceType text/plain
<Files /cleanup.php>
ForceType application/x-httpd-php
SetHandler application/x-httpd-php
</Files>
</FilesMatch>

how can I check if the folder can be accessed by the database or server etc?

Link to comment
https://forums.phpfreaks.com/topic/282681-security-risk/#findComment-1453110
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.