Re: Files upload security considerations

[Peter Butler <peter.butler () 141 com>]

> ideally, remove execute/write permissions to the file, so it's just 444.
> ensure the file is owned by nobody.
If you are running Linux a good option is to put user-uploaded files 
into a partition mounted with the "noexec" option.  This provides some 
protection against someone uploading a malicious executable (although I 
don't think it will protect against a malicious PHP script, given that 
PHP scripts don't need execute permission to be run by the web server).
> using http to upload is probably the most reliable method of uploading
> data, however, it's quite hard to upload large directories unless the
> user packs everything into a tar/zip and the upload processor is zip/tar
> aware.
>   
Be aware that processing the file in any way (gzip/zip, resizing images, 
etc) exposes you to vulnerabilities that may exist in the library or 
program that you use to do the processing.  For example there were 
recently posts to the bugtraq mailing list about vulnerabilities in gzip.

Cheers

Peter

-------------------------------------------------------------------------
Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack. That's 
because hackers know to exploit weaknesses in web applications. 
Traditional approaches to securing these assets no longer apply. 
Download the "Addressing Challenges in Application Security" whitepaper 
today, and see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008YTU
--------------------------------------------------------------------------