On my site, I have an ability for users to upload a file into the server and be able to view all uploaded files in a directory called "public uploads" where users can view all files that's been uploaded by other users. It's the Apache directory page where it says "Index of /uploads". It's sort of a file sharing hub where people can download and share other people's files.
Would there be any security issues with this?
Can a user, say, upload a malicious PHP script, and execute it from the client side?
How can I resolve these issues, should they exist?
Possibly, it all depends on server, PHP and Apache configuration.
See OWASP's Unrestricted File Upload vulnerability page for some of the risks:
The impact of this vulnerability is high, supposed code can be
executed in the server context or on the client. The likelihood of a
detection for the attacker is high. The prevalence is common. As a
result the severity of this type of vulnerability is High.
The web
server can be compromised by uploading and executing a web-shell which
can run commands, browse system files, browse local resources, attack
other servers, and exploit the local vulnerabilities, and so forth.
This may also result in a defacement.
An attacker might be able to put
a phishing page into the website.
An attacker might be able to put
stored XSS into the website.
This vulnerability can make the website
vulnerable to some other types of attacks such as XSS.
Picture uploads
may trigger vulnerabilities in broken picture libraries on a client
(libtiff, IE had problems in the past) if the picture is published
1:1.
Script code or other code may be embedded in the uploaded file,
which gets executed if the picture is published 1:1.
Local
vulnerabilities of real-time monitoring tools, such as an antivirus,
can be exploited.
A malicious file (Unix shell script, windows virus,
reverse shell) can be uploaded on the server in order to execute code
by an administrator or webmaster later -- on the server or on a client
of the admin or webmaster.
The web server might be used as a server in
order to host of malware, illegal software, porn, and other objects.
See my other post for some general guidelines on making file uploads safe.
Allowing users to upload files to a public folder does not pose a risk for your server. They cannot run these files on your server.
It does pose a risk for users that download any of these files. These files may contain a virus or malware. Opening any of these files is a high security risk for your users. Not sure you're doing them a favor offering such a feature.
Related
I am new to Management System. Now I need to control a website. Some days ago, someone hack it — not SQL injection, just file change / new files upload.
I need to know the how can I prevent it; I want to learn.
Please, can someone give me some suggestions?
To prevent this, You need to update your server security with the mod_security, Mod_security is web server firewall so you will have to install and upadte mod_sec rules on your server to prevent this,
Also, Update your site scripts and plugin and themes which you are using for your site.
Use strong password for your cPanel, FTP and site admin panel
Also, Check WHM >> Security Center >> Security Advisor and fix all the Warning which you will get in that scan report.
Install maldet on your server and scan your all user home directory and remove infected files from your account.
I am looking to have users upload files to an FTP server using a "pre-configured" FTP client. By that I mean; the FTP client's connection settings have already been set in the client they have downloaded. Ideally users should be able just to drag and drop the files into a simple window and the file uploads.
I have found two applications which allow me to do this;
"FTP Maker" (softhing.com/ftpmaker.html)
This allows you to configure the FTP connection details and add a logo. You then hit a button which generates the "uploader application". This can then be distributed to users where they have to configure nothing. While this works, it doesn't have as many features as...
"FTP Uploader Creator" (devzerog.com)
Same as above, except the application can zip before uploading, can resume uploads and can also send an email after upload has completed. These are handy features I wish FTP Maker had. The issue with this application is it's developer seems to have gone out of business and only the thirty-day trial is available...
Another application is "FTPcreator" (ftpcreator.com). Unfortunately this is a little outside my price range.
I am also aware of options such as dropbox, ftpbox etc.
Do you know of any super-lite FTP clients which I could pre-configure before sending out to users? Ideally it should have the features of "FTP Uploader Creator" above. I believe this sort of tool might be used in IT to allow users to send files directly to an FTP server.
I know I could do this through a webpage. However, the files will be particularly large and well over the limits of my hosting apache upload file size limit.
I have spent literally hours looking for alternative! Any help would be greatly appreciated!
The title doesn't really sum it all up...
I have recently installed ModX Revolution 2.2.4 on an Apache server and I am having complications with the cache folder. Occasionally I have to manually clear the cache folder via ftp, but any files written there are owned by Apache and my account can't delete them. I have tried adding the "new_file_permissions" and "new_folder_permissions" to the system settings, but there is no change. The cache files are always owned by Apache and I have no access via ftp.
Also, files such as the .htaccess and really anything I upload (css etc) are seen as uneditable to modx unless I manually change them to 777 via ftp. I can't change owner and group though.
The server tech can't figure it out. This has come up before on the modx forums but it has never been answered.
Obviously, this is a server problem.
I had this problem (with an IIS server though), and the host needed to change some of their settings.
Especially, if MODX works on your different host(s).
That is the way it is supposed to work, your FTP account does not have permission to write files written by apache, your ftp may be a member of the group but does not have write permission. [needed to delete]. I suspect this is by design for security purposes.
Your new_file_permissions, new_folder_permissions are used for the modx file manager.
So you can do a couple of things:
Run modx under fastcgi, that way the user writing the files should be the same user as the ftp user.
OR
write a little script [you can even stuff it in a snippet] that will delete the cache files for you. [since it will be running as the apache user, it should be no problem.
Hey guys, i've been googling ambitiously but my searches seem to be somewhat ambiguous so I thought i'd ask here.
My company has asked me to look into a web portal system that allows clients to log in via their browser and view/download their specific invoices / reports (the web server would be inhouse).
These (initially at least) would be static documents, pdf's, maybe excel spreadsheets and the like.
What I want to happen is a customer heads to our website (hosted elsewhere), clicks a link that takes them to a secure login for our webserver, they then enter their login details and are taken to their respective 'folder' on our webserver. Here they can download pdf's - that we keep up to date.
The main considerations are for it to be secure such that users can't access other users' folders and for users not to have to install anything to be view download their documents.
I'm setting up a pc to be a LAMP server right now, i've read WebDAV would be a good way to go but i'm not sure about how to get that working in a browser? Any advice or resources you guys can point me to give me a bit more direction would be greatly appreciated.
Thanks, Rob
If you've only got a handful of accounts to manage, apache's built-in HTTP Auth password stuff works pretty well; you write usernames and hashed passwords into an .htpasswd file with the htpasswd utility.
Then you use <Location> directives to specify the URL and directories to find the data, and inside the <Location> directives, use the Require directive to either list specific usernames or valid-user.
Just make sure your .htpasswd file isn't stored in the web root. You don't want people to get a hold of the thing and start brute-forcing your passwords (or see your other allowed users, in case client privacy is a priority).
But it is pretty heavy maintenance -- password changes pretty much have to go through a human. I imagine someone has scripts to automate that, but I wouldn't trust them very far. :)
If you want something that scales larger, I think you might be better off building such a tool yourself.
I'm trying to publish my program so that it can get updates and am told I have to publish my changes to a web server or file share server, but I have no idea about how I can go about getting one...are there free ones that will perform what I need to accomplish?
Ok, I don't know what to do and comments seem to go ignored.
I've tried setting the publish location to sites.google.com/site/mysite.com/filecabinetpage/PQCMFILES
and I got an error saying I needed "Front Page Server Extension Capabilities".
I tried setting it to http://productivityquotient.hostzi.com/PQCMFILES/ and it told me:
Error 1 Failed to connect to 'http://productivityquotient.hostzi.com/PQCMFILES/' with the following error: Unable to create the Web site 'http://productivityquotient.hostzi.com/PQCMFILES'. An error occurred accessing your site configuration files. Authors - if authoring against a web server, please contact the webmaster for this server's site. Webmasters - please see the server's application event log for more details. 1 1 Contact Manager
I tried setting it to a directory on the microsoft site and it said: "unable to create directory. files moved" or something like that.
I can't host it on an ftp server if I intend to use the updates feature and I don't know what to do...
Maybe Microsoft's free web hosting will allow you to do this.
000webhost.com is actually a pretty reliable host, with decent and free advertisement-free hosting. It also supports typical web server things such as FTP access, cpanel and e-mail accounts.
Their limit on free hosting is basically low disk space (1.5 GB) and bandwidth (100 GB/mo) and some minor content restriction. If that seems fine for you, then I highly recommend it. Even on free accounts, their ticket response time is blazing.
NearlyFreeSpeech, while not free, lets you host your application on a pay as you go plan. There are free web-hosts, but most lack the features of costies, such as FTP access.