Hey guys. My friends and I host a file uploading service. We limit the amount each user can upload though. But here is a problem. users can upload .html and .php and any other scripting files. Concievably, they could host hteir own webpage on our server as we made it a point to include persistent links to files.
It would be very interesting to allow it, but not if people were to upload scripts to hack us or gain unwanted access to files and such. Is there any way to do this?
or how do you filter out upload requests that are .php and .html and .class files and stuff?
PHP upload security issue
Moderator: General Moderators
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: PHP upload security issue
Yes. Their files would have total access to your server's filesystem.Kasai wrote:It would be very interesting to allow it, but not if people were to upload scripts to hack us or gain unwanted access to files and such. Is there any way to do this?
You should focus on what kinds of files you allow instead of the ones you don't allow.Kasai wrote:or how do you filter out upload requests that are .php and .html and .class files and stuff?
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
I believe it's possible to limit the access of a user, but then the users would likely have access to each other files. I'd just recommend that you didn't do it at all. It's a large responsibility that you'd have to take, and an unnecessary risk.Kasai wrote:hm. is there any way that i can limit the access of their files? Like limit the scripting power of anything in that folder to only that folder?
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
If PHP is the only language that your server parses, then it's all you'll need.Kasai wrote:alright thanks. i think i may have keep .html but use the .htaccess and block scripting files. that way they can host some unfunctioning website. lol.
on that note, that command for php_flag.engine off , can i use that for other file types, or are there different commands for each?