I have a PHP website and I want to know if is it secure to let users upload .SWF files?
If yes, is there something I can do to make it 100% safe?
Generally speaking, it is dangerous to allow users to upload any files that are potentially executable in some form (be it binary or script). Depending on the needs of the users, there may be a safe way.
As long as the users don't need to execute the .SWF but rather just store them, you can simply remove the executable bit from the file while it sits on your server. This way the file cannot be executed on your server.
Something you will have to address though, is users uploading malicious SWFs that are targeted at other users instead of your server. Even if you remove the executable bits, a user could still trick another user into downloading and executing the SWF that is stored on your server. To fix this you should insist that users be logged in to access their files, or at least the SWF files. This way without a valid session someone can't access it.
It is important that the files not be executed by your server. Flash is notorious for vulnerabilities and you don't want to get Pwned by a user who uploads a malicious SWF for execution to your server.
Related
We have a server that has been compromised that is running WordPress and Magento and is running them on about 5 domains all on the same server.
The hacker has been uploading there malicious scripts through all the file-system in hundreds of locations. It is a nightmare at this stage and I am still unable to find the entry point.
I did just notice that one of our AJAX image upload fields allows me to rename a PHP file as a .jpg and upload the file to the server.
When I access the PHP .jpg file in the browser is serves a broken image.
So I am not sure if the hacker would be able to upload a PHP file here and access it as a PHP file or if it would just serve it as a broken image fore like it did for me in the browser?
Any ideas on how much of a security threat this could be? Could it potentially be my entry point where hacker gained initial access? Or is the fact it serves as a broken image instead of processing the PHP file when I load in my browser mean that its somewhat secure?
Any help appreciated, thank you
Hard to say if the hacker has done something without actually checking what's there.
Regarding how to secure future image uploads I would advice using a function like finfo in PHP http://php.net/manual/en/function.finfo-file.php to find if a file belongs to any of the approved mime types, which btw, you should restrict to only a limited type of image types.
Also you should consider not allowing the use of the original image, but instead an adjusted version of it, to avoid that users end up downloading huge images or things like that.
Answer:
Usually (depending on the web server configuration) no one can execute a PHP file if it has a different extension, they could have upload it, but they can't run it, at least in any common configuration.
So, in theory you should not have to worry for that specific thing, but do be worry that someone is spending time in trying to hack you and that means you should expend time protecting the site and server.
I would recommend searching for articles on how to protect your specific server and configuration and to make sure you update your software, OS and such to the latest security updates.
Being able to upload a file with .jpeg file extension but PHP content is not a vulnerability in itself. However:
if the attacker is writing all over the file system you might have an upload function with a directory traversal vulnerability which will need fixing, ideally by not letting the uploader choose their own filename at all;
there are other problems to do with cross-site-scripting when you let users upload content to be served from the same hostname as the site;
it may be worth checking an uploaded file using something like getimagesize() to ensure that you have a JPEG file and non-ridiculous dimensions, but given the possibility of ‘chameleon’ files that can be interpreted as multiple different types this is not necessarily watertight, so this is a ‘defense-in-depth’ measure at best.
Getting a web server to run a .jpeg file as PHP code could happen by:
being able to write to server configuration to associate .jpeg with the PHP handler. Typically this would happen because another vulnerable file upload feature allowed an attacker to write a .htaccess file in the same directory for Apache to pick up.
a PHP script with a Local File Inclusion security hole. Typically this would be code like:
include("include/$variable");
where an attacker can get content into $variable, to point to something.jpeg. Generally include/require should never be used with variables unless those variables are explicitly limited to a few known-good values.
The other likely possibility if you have a load of malicious pages uploaded to your server is that your server login is compromised.
I have a simple site which allows users to upload files (among other things obviously). I am teaching myself php/html as I go along.
Currently the site has the following traits:
--When users register a folder is created in their name.
--All files the user uploads are placed in that folder (with a time stamp added to the name to avoid any issues with duplicates).
--When a file is uploaded information about it is stored in an SQL database.
simple stuff.
So, now my question is what steps do I need to take to:
Prevent google from archiving the uploaded files.
Prevent users from accessing the uploaded files unless they are logged in.
Prevent users from uploading malicious files.
Notes:
I would assume that B, would automatically achieve A. I can restrict users to only uploading files with .doc and .docx extensions. Would this be enough to save against C? I would assume not.
There is a number of things you want to do, and your question is quite broad.
For the Google indexing, you can work with the /robots.txt. You did not specify if you also want to apply ACL (Access Control List) to the files, so that might or might not be enough. Serving the files through a script might work, but you have to be very careful not to use include, require or similar things that might be tricked into executing code. You instead want to open the file, read it and serve it through File operations primitives.
Read about "path traversal". You want to avoid that, both in upload and in download (if you serve the file somehow).
The definition of "malicious files" is quite broad. Malicious for who? You could run an antivirus on the uplaod, for instance, if you are worried about your side being used to distribute malwares (you should). If you want to make sure that people can't harm the server, you have at the very least make sure they can only upload a bunch of filetypes. Checking extensions and mimetype is a beginning, but don't trust that (you can embed code in png and it's valid if it's included via include()).
Then there is the problem of XSS, if users can upload HTML contents or stuff that gets interpreted as such. Make sure to serve a content-disposition header and a non-html content type.
That's a start, but as you said there is much more.
Your biggest threat is going to be if a person manages to upload a file with a .php extension (or some other extension that results in server side scripting/processing). Any code in the file runs on your server with whatever permissions the web server has (varies by configuration).
If the end result of the uploads is just that you want to be able to serve the files as downloads (rather than let someone view them directly in the browser), you'd be well off to store the downloads in a non web-accessible directory, and serve the files via a script that forces a download and doesn't attempt to execute anything regardless of the extension (see http://php.net/header).
This also makes it much easier to facilitate only allowing downloads if a person is logged in, whereas before, you would need some .htaccess magic to achieve this.
You should not upload to webserver-serving directories if you do not want the files to be available.
I suggest you use X-Sendfile, which is a header that instructs the server to send a file to the user. Your PHP script called 'fetch so-and-so file' would do whatever authentication you have in place (I assume you have something already) and then return the header. So long as the web server can access the file, it will then serve the file.
See this question: Using X-Sendfile with Apache/PHP
Background: I have a website where people can store transactions. As part of this transaction, they could attached a receipt if they wanted.
Question: Is there any security risk if a user is allowed to upload any type of file extension to my website?
Info:
The user will be only person to ever re-download the same file
There will be no opportunity for the user to "run" the file
They will only be able to download it back to themselves.
No other user will ever have access to another users files
There will be a size restriction on the say (say 2mb)
More info: I was originally going to restrict the files to "pdf/doc/docx" - but then realised some people might want to store a jpg, or a .xls etc - and realised the list of files they "might" want to store is quite large...
edit: The file will be stored outside public_html - and served via a "readfile()" function that accepts a filename (not a path) - so is there anything that can 'upset' readfile()?
Yes, it is definitely a security risk unless you take precautions. Lets say, to re-download the file, the use has to go to example.com/uploads/{filename}. The user could upload a malicious PHP file, and then 'redownload' it by going to example.com/uploads/malicious.php. This would, of course, cause the PHP script to execute on your server giving him enough power to completely wreck everything.
To prevent this, create a page that receives the filename as a parameter, and then serve the page to the user with the correct content-type.
Something like, example.com/files?filename=malicious.php
"There will be no opportunity for the user to "run" the file"
As long as you are 100% sure that that will hold true, it is secure. However, make sure the file will not be able to be executed by the webserver. For example, if the user uploads a .php file, make sure the server does not execute it.
Computers don't run programs magically by themselves, so basically you just need to ensure that the user has no ability to trick your server into running the file. This means making sure the proper handlers are disabled if the files are under the web root, or passing them through a proxy script if they are not (basically echo file_get_contents('/path/to/upload') with some other logic)
Another option would be to store the file like name.upload but this would require keeping a list of original names that map to the storage names.
I'm creating a file sharing site, similar to Megaupload or Rapidshare. Just like those sites mentioned I need to allow ANY filetype.
I was thinking about a solution, and need to know if there is any security risks with it, or is there a better solution to my problem?
User uploads file
Check file size, if below 100mb begin upload
Encrypt the filename using IP, timestamp and salt
Store in a directory that is not accessible from the web
Store filename, description, and hashed file name in database
Upload done. Now for the downloading:
User requests download
Connect to database, locate file ID
If file ID found, copy the file from the file server location and prepare for file transfer
It's important to note that NOTHING CAN EVER RUN ON THE SERVER. So users can't upload malicious files and launch attacks on the server. When requesting the file, it will immediately launch a download, and never run.
Now, with the above in mind, is there any flaws in the model above that could allow malicious users to attack the servers?
For the purpose of answering the question, assume the rest of the site is secure.
This sounds fine, provided it is properly implemented of course; the only step that's missing IMO is checking for possible filename collisions between 3. and 4., and/or using a completely random file name. After all, the IP address and timestamp are not really relevant information in this context.
On the download side, copying the file on the server should not be necessary. Streaming it from the secret location should be enough, seeing as it will never be visible or accessible to the end user.
I am new to the document storage space. I am not sure what i am doing yet, but before i begin i wanted to know about the possible security threats one has when one allows document uploads and what is the best way to sanitize the data? I am using PHP and will allow images, word docs, pdfs, excel docs, etc.
And is this a good solution:
http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/
There are a vast amount vulnerabilities, when allowing a user to upload files. Potential, blocking unwanted file formats, can help limit the possibilities of someone being able to upload a shell, and root your server. Affecting the integrity, confidentiality and availability of information on your servers.
There also vulns within you forms control as well such as XSS (cross-site scripting) exploits...allowing a user to run malicious code. This could lead to malicious code being executed in users environments.
There also the possibilities, for vulnerabilities within your actual database as well i.e. SQL injections.
Just don't let the server execute executable files...
Risk from users uploading large files, utilising vital disk space and bandwidth.
Useful link for securing PHP upload scripts: http://www.webcheatsheet.com/PHP/file_upload.php
There are two really obvious ones:
If improperly done, a file uploader could allow the user to overwrite other people's files -- including the PHP that runs the site. Make sure permissions are set so that the web server's account has read-only access to any directory but where stuff should be written, and that nothing in that directory can be executed.
Users can upload (big) enough files to fill the site's disk quota. Even if they can't, they can try -- and the server might not refuse the upload til after the whole file's been sent anyway, chewing up precious resources and possibly still filling the drive (if only for the time it takes to refuse the request and delete the temp file).
And that's just the risks to the server. Files can contain malware that can affect other users. You'll probably want to find a scanner for that stuff.
I'll suggest that if you want to let people upload files, you find a pre-written script that a lot of other people use and recommend. Rolling your own is bound to cause you problems when someone does something that you never considered.
There are several threats you should be aware of:
Malware like virus, worms, trojan horses and so on, especially if the uploaded files are accessible by other users.
Files that can be executed on your system like php-files. If a user can upload a php-file to your webroot, he can execute arbitrary commands using something like passthru(cmd) or system(cmd).
Illegal content. You don't want anything illegal on your server that could get you into trouble.
Someone could upload HTML-files with javascript, using them for XSS attacks
...
Just to name some of them. You should take a look at the OWASP Website concerning Unrestricted File Upload. You should find anything you need there.