Users Folders Security
Moderator: General Moderators
Users Folders Security
I've created a little blog service that allows people to upload images and movies. I'm worried that I may not be setting things up securely enough. My scripts go to greath lengths to keep people from uploading malicious files (checking mime types, running gd and php-ffmpeg functions against them, etc) , but I wonder if my directory structure is OK?
I've always heard that you shouldn't have writeable directories above the web root, but I'm not sure how to do this differently. Currently, each new user has a folder on the webroot (http://www.mywebsite/user_folder) and in that folder are two more folders for storing uploaded images and movies. Both sub directories are set to 777 so apache can move uploaded items to them.
Is this the best way? Is there anyway to have my users folders below the webroot and show up on the website correctly? I can't create apache Aliases unless there's a way to do that without editing the server httpd.conf.
Sorry if this is more general theory than specific to just php. Any help is appreciated. Thanks much!
bread
I've always heard that you shouldn't have writeable directories above the web root, but I'm not sure how to do this differently. Currently, each new user has a folder on the webroot (http://www.mywebsite/user_folder) and in that folder are two more folders for storing uploaded images and movies. Both sub directories are set to 777 so apache can move uploaded items to them.
Is this the best way? Is there anyway to have my users folders below the webroot and show up on the website correctly? I can't create apache Aliases unless there's a way to do that without editing the server httpd.conf.
Sorry if this is more general theory than specific to just php. Any help is appreciated. Thanks much!
bread
- darodesign
- Forum Newbie
- Posts: 19
- Joined: Mon Aug 28, 2006 8:58 am
- Location: Berlin
- Contact:
In your suggestion for streaming the output, would I have to change all the img and download references to a php script that would feed the respective items from a folder above the web root?
Only thing I've noticed with having php read files for download instead of putting the link in the html is that some browsers won't recognize the file size or file type because of the progressive stream.
Only thing I've noticed with having php read files for download instead of putting the link in the html is that some browsers won't recognize the file size or file type because of the progressive stream.
Last edited by bread_man on Sat Sep 29, 2007 11:43 pm, edited 1 time in total.
If you're using php redirects right now, just change the redirector to output a mime type and a file.
http://www.mybabyplace.net/ava/movie.ph ... /quicktime
Since the directory is specified in the URL and not the query, you could detect the url in the script and use it to match a directory in the upload folder.
http://www.mybabyplace.net/ava/movie.ph ... /quicktime
Since the directory is specified in the URL and not the query, you could detect the url in the script and use it to match a directory in the upload folder.
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
ahhhhhh teh babies!
And look there is enough avatar food here for me to have a good breakfast, Yes I do like to eat spiders
feyd, you should be scared
*cough*
Preventing malicious files getting on to your server is a good method to prevent hacking BUT its difficult to do and its very unlikely that you can write something that cannot be trumped. Validate whatever you can, codecs might be a good check, as is file size against DOS attacks (note upload_max_filesize) etc. As one of the principles of security is
So make sure that these files cannot be executed, make sure that you can control the times that they are even read. If possible there may be security advantages to chmod 000 them and adding R when to you need to read and turning it off when you are done; never turn on X
.
Also consider the way in which they are output, it is possible for a user to request them directly if so that is dangerous and a sucessful XSS attack could well turn your site into a virus distribution centre
. If they can only be shown the file in the context of an <img src="" or <embed / object> and can't be requested any other way (possibly through the use of some token) then you have twarted that.
One vunlneribility that also comes to mind is the filenames. The filenames could be (although I'm not quite sure how) be used to inject text into your HTML and create an XSS attack so rename the files or use ids that reference the files (which is only stored server side).
Oh btw the mime type is provided by the client so checking it, from a security standpoint, is like asking a theif if he steals.
And look there is enough avatar food here for me to have a good breakfast, Yes I do like to eat spiders
*cough*
Preventing malicious files getting on to your server is a good method to prevent hacking BUT its difficult to do and its very unlikely that you can write something that cannot be trumped. Validate whatever you can, codecs might be a good check, as is file size against DOS attacks (note upload_max_filesize) etc. As one of the principles of security is
this means you should protect yourself by other means too.Shiflett wrote:Defence in Depth
So make sure that these files cannot be executed, make sure that you can control the times that they are even read. If possible there may be security advantages to chmod 000 them and adding R when to you need to read and turning it off when you are done; never turn on X
Also consider the way in which they are output, it is possible for a user to request them directly if so that is dangerous and a sucessful XSS attack could well turn your site into a virus distribution centre
One vunlneribility that also comes to mind is the filenames. The filenames could be (although I'm not quite sure how) be used to inject text into your HTML and create an XSS attack so rename the files or use ids that reference the files (which is only stored server side).
Oh btw the mime type is provided by the client so checking it, from a security standpoint, is like asking a theif if he steals.
Thanks everyone - this is just the type of insight I was looking for. I'm going to rework the permissions scheme, and implement some of your pointers.
Now a person has to be a paid and registered member in order to upload anything (I don't have file uploads open to anybody) and I can't see anyone abusing it, but I'd rather be safe than sorry!
Thanks again.
Now a person has to be a paid and registered member in order to upload anything (I don't have file uploads open to anybody) and I can't see anyone abusing it, but I'd rather be safe than sorry!
Thanks again.