PHP upload security issue

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Kasai
Forum Newbie
Posts: 13
Joined: Sun Jul 15, 2007 11:27 am

PHP upload security issue

Post by Kasai »

Hey guys. My friends and I host a file uploading service. We limit the amount each user can upload though. But here is a problem. users can upload .html and .php and any other scripting files. Concievably, they could host hteir own webpage on our server as we made it a point to include persistent links to files.

It would be very interesting to allow it, but not if people were to upload scripts to hack us or gain unwanted access to files and such. Is there any way to do this?

or how do you filter out upload requests that are .php and .html and .class files and stuff?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: PHP upload security issue

Post by superdezign »

Kasai wrote:It would be very interesting to allow it, but not if people were to upload scripts to hack us or gain unwanted access to files and such. Is there any way to do this?
Yes. Their files would have total access to your server's filesystem.

Kasai wrote:or how do you filter out upload requests that are .php and .html and .class files and stuff?
You should focus on what kinds of files you allow instead of the ones you don't allow.
Kasai
Forum Newbie
Posts: 13
Joined: Sun Jul 15, 2007 11:27 am

Post by Kasai »

hm. is there any way that i can limit the access of their files? Like limit the scripting power of anything in that folder to only that folder?
User avatar
vigge89
Forum Regular
Posts: 875
Joined: Wed Jul 30, 2003 3:29 am
Location: Sweden

Post by vigge89 »

You can disable PHP in specific directories/paths with Apache (using either .htaccess configs or the httpd.conf file) using the flag "php_flag engine off".
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Kasai wrote:hm. is there any way that i can limit the access of their files? Like limit the scripting power of anything in that folder to only that folder?
I believe it's possible to limit the access of a user, but then the users would likely have access to each other files. I'd just recommend that you didn't do it at all. It's a large responsibility that you'd have to take, and an unnecessary risk.
Kasai
Forum Newbie
Posts: 13
Joined: Sun Jul 15, 2007 11:27 am

Post by Kasai »

alright thanks. i think i may have keep .html but use the .htaccess and block scripting files. that way they can host some unfunctioning website. lol.

on that note, that command for php_flag.engine off , can i use that for other file types, or are there different commands for each?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Kasai wrote:alright thanks. i think i may have keep .html but use the .htaccess and block scripting files. that way they can host some unfunctioning website. lol.

on that note, that command for php_flag.engine off , can i use that for other file types, or are there different commands for each?
If PHP is the only language that your server parses, then it's all you'll need.
Post Reply