htaccess securing ftp upload folder

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
The Monkey
Forum Contributor
Posts: 168
Joined: Tue Mar 09, 2004 9:05 am
Location: Arkansas, USA

htaccess securing ftp upload folder

Post by The Monkey »

Hello there,

I'm running into an interesting security issue, and I feel like I may be trying to shoot myself in the foot.

I want users to have ftp access to their own private folder, using an ftp client (i.e., web-based client won't work because external programs have to be able to upload xml files.)

Of course, all they would need would be a php file including the config file and dumping the database to ruin pretty much everything. So my question is, while I can't do anything about what filetypes are uploaded through whichever ftp program of their choice is, if I deny from all (via .htaccess) all files which don't match a regex (jpg, jpeg, gif, xml), there would be no way for them to execute the potentially harmful (php, mainly) files, correct?

- Monkey
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

regex check for extensions will be a security flaw. As malicious code could be in a jpg file as well.
User avatar
Skara
Forum Regular
Posts: 703
Joined: Sat Mar 12, 2005 7:13 pm
Location: US

Post by Skara »

Indeed. Don't forget extensions don't truly exist in *nix.
If you allow people to upload things, plan on getting screwed eventually.

[offtopic]
O.o You're from my state! ^_^
Post Reply