I'm going to allow my users to make iframed HTML pages on my site. They will input text including markup and I will create the .html file using fwrite().
Are there reasons not to make the file permission for these .html files 0777?
Obviously I don't want people executing javascript but other markup should be fine. Should I do 0766 instead then?
I'm not very familiar with permissions so general advice would be appreciated too.
0777 is inappropriate for data files such as HTML. They should likely be set as 0644 (owner read+write, group/others read only).
Note that the executable bit on an HTML file has absolutely no bearing on what permissions it will have when loaded in a browser. For instance, Javascript will run just fine out of any HTML file, regardless of its permissions -- if you do not want to allow Javascript to run from these files, you will need to filter the content yourself. Good luck.
If you can make sure, that they will upload ONLY html files - then it's fine.
Related
I am in the process of setting up the godaddy file permissions and I do not know what permissions to set for my PHP files. They should be able to read, write and execute effecting the SQL server. Which options should I select, the default permissions are shown in the image below.
PHP files should only have the EXECUTE permission for all 3 groups
php files are executed, not read, like html files for example
if you leave read, people can with some tricky methods view your actual php code and steal it, so don't leave read on .php files
They have some php code within (if, endif, variables), but essentially they are html files.
Do you think is a good idea to use the .html extension and prevent direct access to them trough .htaccess, so the php code is not visible to anyone ?
Is it safe?
can you test the script?
As far as I know the PHP is just server-side so after the server "do its thing" it doesn't show on the users computer (when he tries to see the source code).
Javascript and HTML are displayed but not the php.
I have used the .htaccess file to block some other files in the folder such as the DB credentials and such that I had named .inc (for include). If you block the html with the htaccess noone is going to be able to see the webpage.
I hope I understood it right! (And clarified it as well)
Just have an .htaccess with deny from all in the views folder... ;p
Tho if you have files like images or css that you want loaded from that theme folder then by all means rename the view to .php and put as this on the first line:
if (!defined("RUN")){die('No direct access');}
Obviously define('RUN',true); in your config.
Suppose that our web-hosting is linux and php is installed:
1- What could be the worst that happens when a php code can be uploaded instead of an image.
2- Can the intruder somehow retrieve my database password ? suppose that the directory on which images get stored has 777 file permissions.
3- What if when the image directory has 644 permission?
The answer to my question can be combined with the ones given to these two: Security: How to validate image file uploads? and Security issues in accepting image uploads
What could be the worst that happens when a php code can be uploaded instead of an image.
Worst case: Intruder can execute arbitrary PHP code, maybe even arbitrary code on the server. If the attacker is clever enough while the sysadmins aren't, he might even own the whole server/subnet/network/...
Can the intruder somehow retrieve my database password ? suppose that the directory on which images get stored has 777 file permissions.
If the attacker can execute PHP code (which of course depends on your security measures), he can definitely read files from the current user, so the answer is most probably yes.
What if when the image directory has 644 permission?
Unless you use PHP in CGI mode, the execute bit shouldn't be necessary for the webserver to execute a script, so that alone doesn't help.
Of course those are not the questions you should ask. The question you should ask is how to prevent an attacker from uploading an executable PHP file in the first place. My answer to that is that you should check the file extension against a white list and drop everything else, for example:
$pattern = "/\.(jpe?g|gif|png)$/iD";
if (!preg_match($pattern, $filename))
die("Please don't.");
You should make sure you don't allow parsing of php files in your image directory, since I'm assuming it's going to be open to the public.
You could do this in the /images/.htaccess file with
RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
That way if they try to go to domain.com/images/hackdatabase.php it'll just return their code and not the file.
But you should check to make sure its' an image in the first place.
Im working on an upload script, and i want a user to be able to upload any file.
I had it al working on localhost, i added
php_flag engine off
AddType text/plain php html shtml php5 php4 php3 cgi asp aspx xml
to my htaccess in the upload folder, and it showed the source of PHP, html and all other files. Exactly as i wanted to.
Now i tried to upload it to a real webserver, and unfortunately my host does not allow such .htaccess files.
I tried openinging the files with file_get_content() and fopen() and giving them a text/plain header.. but nothing works. It first executes the scripts and shows the output in my textarea.
Do you guys have any suggestions on how i can fix this without .htaccess ?
Thanks!
Don't upload files into the webroot and let people access them directly. As you say, .php scripts (and probably a lot more) get executed that way. A classic way for arbitrary code execution attacks.
Store uploaded files outside the webroot where they're not publicly accessible and create a script that allows users to download the files, for example using readfile or Apache mod_xsendfile, after having done the necessary permission checks.
Also see Security threats with uploads.
I am trying to secure my PHP Image upload script and the last hurdle I have to jump is making it so that users cannot directly excecute the images, but the server can still serve them in web pages. I tried changing ownership and permissions of the folders to no avail, so I am trying to store the images above public_html and display them in pages that are stored in public_html.
My File Structure:
- userimages
image.jpg
image2.jpg
- public_html
filetoserveimage.html
I tried linking to an image in the userimages folder like this:
<img src="../userimages/image.jpg">
But it does not work. Is there something I am missing here? If you have any better suggestions please let me know. I am trying to keep public users from executing potentially dangerous files they may have uploaded. Just as an extra security measure. Thanks!
You want something that's basically impossible.
The way a browser loads a page (in a very basic sense) is this:
Step 1: Download the page.
Step 2: Parse the page.
Step 3: Download anything referenced in the content of the page (images, stylesheets, javascripts, etc)
Each "Download" event is atomic.
It seems like you want to only serve images to people who have just downloaded a page that references those images.
As PHP Jedi illustrated, you can pass the files through PHP. You could expand on his code, and check the HTTP_REFERER on the request to ensure that people aren't grabbing "just" the image.
Now, serving every image through a PHP passthru script is not efficient, but it could work.
The most common reason people want to do this is to avoid "hotlinking" -- when people create image tags on other sites that reference the image on your server. When they do that, you expend resources handling requests that get presented on someone else's page.
If that's what you're really trying to avoid, you can use mod_rewrite to check the referer.
A decent-looking discussion of hotlinking/anti-hotlinking can be found here
Use an image relay script!
To serve a imagefile that is outside the public_html folder you would have to do it by a php script. E.g make a image-relay.php that reads the image that is outside the public html...
<?php
header('Content-Type: image/jpeg');
$_file = 'myimage.jpg'; // or $_GET['img']
echo file_get_contents('/myimages/'.$_file);
?>
Now, $_file could be a $_GET parameter, but its absolutley important to validate the input parameter...
now you can make an <img src="image-relay.php?img=flower.jpg"> to access a flower.jpg image that is located in /myimage/flower.jpg ...
Well, a web browser will only be able to access files and folders inside public_html.
If the public_html directory is the root of the server for your users, Apache cannot serve anything that is not inside/below that dorectory.
If you want a file to be served by Apache directly, you'll have to put it in/below public_html.
I think your misunderstanding is in the fact that if you include an image in an <img> tag, your browser will send the exact same request to the webserver to fetch it, that will be sent to the webserver if you try to open the src url of the image in your browser directly.
Therefore, either both things work, or neither.
There are hacks around, involving a (php or other) script to make sure that an IP that has requested the image has also requested the html page within the last few seconds (which will not work if the user is behind a proxy that rotates outgoing IPs) or by checking the referer (which does not work with HTTPs and also not if the user has referer disabled).
If you want to make sure that only some users can see the image (both via <img> tag and directly), you can put the image outside public_html and have a (php or other) script that verifies the user's credentials before serving the image.
If you are using Apache or lighttpd you can use the X-Sendfile header to send files that are not in the web root(provided you haven't changed the configuration of mod_xsendfile).
To learn more about X-sendfile see this site.
This solution is giving you the best possible performance as PHP doesn't send the file but the server does and therefore PHP can be exited while the files are being served.
Hope that helps.