Page 1 of 1
PHP upload security issue
Posted: Thu Aug 02, 2007 8:31 pm
by Kasai
Hey guys. My friends and I host a file uploading service. We limit the amount each user can upload though. But here is a problem. users can upload .html and .php and any other scripting files. Concievably, they could host hteir own webpage on our server as we made it a point to include persistent links to files.
It would be very interesting to allow it, but not if people were to upload scripts to hack us or gain unwanted access to files and such. Is there any way to do this?
or how do you filter out upload requests that are .php and .html and .class files and stuff?
Re: PHP upload security issue
Posted: Thu Aug 02, 2007 8:56 pm
by superdezign
Kasai wrote:It would be very interesting to allow it, but not if people were to upload scripts to hack us or gain unwanted access to files and such. Is there any way to do this?
Yes. Their files would have total access to your server's filesystem.
Kasai wrote:or how do you filter out upload requests that are .php and .html and .class files and stuff?
You should focus on what kinds of files you allow instead of the ones you don't allow.
Posted: Fri Aug 03, 2007 7:37 am
by Kasai
hm. is there any way that i can limit the access of their files? Like limit the scripting power of anything in that folder to only that folder?
Posted: Fri Aug 03, 2007 7:56 am
by vigge89
You can disable PHP in specific directories/paths with Apache (using either .htaccess configs or the httpd.conf file) using the flag "php_flag engine off".
Posted: Fri Aug 03, 2007 8:16 am
by superdezign
Kasai wrote:hm. is there any way that i can limit the access of their files? Like limit the scripting power of anything in that folder to only that folder?
I believe it's possible to limit the access of a user, but then the users would likely have access to each other files. I'd just recommend that you didn't do it at all. It's a large responsibility that you'd have to take, and an unnecessary risk.
Posted: Fri Aug 03, 2007 8:17 am
by Kasai
alright thanks. i think i may have keep .html but use the .htaccess and block scripting files. that way they can host some unfunctioning website. lol.
on that note, that command for php_flag.engine off , can i use that for other file types, or are there different commands for each?
Posted: Fri Aug 03, 2007 10:58 am
by superdezign
Kasai wrote:alright thanks. i think i may have keep .html but use the .htaccess and block scripting files. that way they can host some unfunctioning website. lol.
on that note, that command for php_flag.engine off , can i use that for other file types, or are there different commands for each?
If PHP is the only language that your server parses, then it's all you'll need.