WebApp Sec mailing list archives
Re: Files upload security considerations
From: Peter Butler <peter.butler () 141 com>
Date: Fri, 10 Nov 2006 14:06:43 +1300
If you are running Linux a good option is to put user-uploaded files into a partition mounted with the "noexec" option. This provides some protection against someone uploading a malicious executable (although I don't think it will protect against a malicious PHP script, given that PHP scripts don't need execute permission to be run by the web server).ideally, remove execute/write permissions to the file, so it's just 444. ensure the file is owned by nobody.
Be aware that processing the file in any way (gzip/zip, resizing images, etc) exposes you to vulnerabilities that may exist in the library or program that you use to do the processing. For example there were recently posts to the bugtraq mailing list about vulnerabilities in gzip.using http to upload is probably the most reliable method of uploading data, however, it's quite hard to upload large directories unless the user packs everything into a tar/zip and the upload processor is zip/tar aware.
Cheers Peter ------------------------------------------------------------------------- Sponsored by: WatchfireIt's been reported that 75% of websites are vulnerable to attack. That's because hackers know to exploit weaknesses in web applications. Traditional approaches to securing these assets no longer apply. Download the "Addressing Challenges in Application Security" whitepaper today, and see for yourself.
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008YTU --------------------------------------------------------------------------
Current thread:
- Files upload security considerations Alexander Berezhnoy (Nov 09)
- Re: Files upload security considerations ed (Nov 09)
- Re: Files upload security considerations Peter Butler (Nov 11)
- Re: Files upload security considerations ed (Nov 13)
- Re: Files upload security considerations Peter Butler (Nov 11)
- Re: Files upload security considerations Cleiton Martins (Nov 09)
- <Possible follow-ups>
- Re: Files upload security considerations c0redump (Nov 09)
- Re: Files upload security considerations c0redump (Nov 09)
- Re: Files upload security considerations Hemil (Nov 11)
- Re: Files upload security considerations ed (Nov 09)