SitePoint Sponsor

User Tag List

Results 1 to 16 of 16
  1. #1
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    file uploads, Unix file permissions, and security

    i don't exactly understand what the security risks are with file uploads. i'm making a PHP script where people will be able to upload a picture and i know that the directory where i'm gonna store the files has to be writable by PHP (777 i guess). i understand all of that. and i know how to make sure that it's an actual file upload and all that stuff. no problem.

    but what are the security risks (on a shared host) that are always mentioned, with the directory being writable by PHP? what can happen? could someone on my host that knows my username like make a PHP script and go to my directory (like /home/username/public_html/pictures) and delete all the files or something, since their PHP script, i assume, is running as the same user as me?

    i've never really seen a good explanation of the security risks of world writable dirs. so if someone could explain what bad things could be done, how they could be done, and what, if anything, can be done to prevent them i'd really appreciate it!

    thanks!
    Last edited by DR_LaRRY_PEpPeR; Sep 13, 2001 at 22:12.
    - Matt ** Ignore old signature for now... **
    Dr.BB - Highly optimized to be 2-3x faster than the "Big 3."
    "Do not enclose numeric values in quotes -- that is very non-standard and will only work on MySQL." - MattR

  2. #2
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In this thread:
    http://www.sitepointforums.com/showt...threadid=28047

    I made reference to this article:
    http://www.securereality.com.au/studyinscarlet.txt

    which from memory discusses security and file uploads.

    It seems to me that the main security risks associated with php come from a couple of features that make is a convenient langauge for us lazy programmers to use.

    1) Not needing to explicitly declare variables ahead of use.

    2) Throwing the apache global environment variables into the global namespace. register_globals

    The problem here is when the programmer ASSUMES that the value of a certain variable is being set through the intended method - as a POST or GET, etc, variable. However, the fact that the contents of these environment variables - HTTP_POST_VARS[], HTTP_GET_VARS[], etc, are thrown into the gloabal namespace and referenced this way by the programmer means that a lot of the time the programmer is really just ASSUMING that the data is coming from where it is expected.

  3. #3
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    freakysid, i understand all of that and have no problems verifying where the file came from. i've read that very good article before.

    just take my PHP script out of the picture for a sec. what malicious things can be done when the directory is chmod 666 or 777 so PHP can write to it? or aren't there any? i'm sure there are though. is what i mentioned in my example possible? can someone else on the same server make a script to access my files since both of our scripts are running as the same user? that's the stuff i don't understand.
    Last edited by DR_LaRRY_PEpPeR; Sep 13, 2001 at 23:43.

  4. #4
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hehe - OK. You know it is a very good question and I think that the answer is YES! - any other user on a shared machine would be able to (if they know the correct path to your directory) would be able to write to your world writable, or even your apache user writable, directory. Furthermore - depending on how ftp has been setup - the user might be able to navigate around the filesystem using ftp!

    I believe this is why it is becoming popular to set up shared servers where each user has their own copy of apache, etc, etc running as different users and not sharing the same apache binary as is the traditional way of shared hosting.

    It is an interesting point and it should probably also be noted that the cost of leasing a dedicated server with a reasonable internet connection is becoming quite cheap these days. Prices for decent servers and decent connections start at $100 a month.

  5. #5
    SitePoint Wizard Defender1's Avatar
    Join Date
    Apr 2001
    Location
    My Computer
    Posts
    2,808
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    really...?
    i remember when getting a dedi from a hosting company would cost upwards of $500-1000 a month.
    Defender's Designs
    I'm Getting Married!

    Not-so-patiently awaiting Harry Potter Book 7 *sigh*

  6. #6
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well you are not going to get a superb network with BPG (or what ever its called - I don't even understand these network and telecommunicat infrastructure things) but I am leasing a dedicated server and 100GB transfer for $129 per month (PIII 750MHz, 512MB RAM, 40gig EIDE HDD - only 5,400rpm. Its not the most brilliant and fast internet connection - I can only seem to burst up to around 200KBytes per second most of the time - so somewhere the line is being capped. But it seems to be a very stable and sound connection (not a single packet lost in over two weeks!) and sufficient be running a few medium trafficed sights off. I got my server from www.pwebtech.com . However it was a special offer and I am not sure whether they will repeat it.

    Then to serve purley static content (images, media, etc), or just one or two medium CPU intensive sites, or a mail server (if you can put up with the RAQ CP, and config - that abomination known as Sendmail, etc) you can get a RAQ4i with 512MB RAM for around the same price per month from www.rackshack.net - which includes 300GB bandwidth! People seem to be pretty happy with the quality of the network connection from what I hear - even if they are not so equal in their praise of support.

    There are other providers who are providing around this price point too (around $100=$150). But this is bottom of the market. And as always, although you don't always get what you pay for, you certainly aint going to get anything for free either!
    Last edited by freakysid; Sep 14, 2001 at 05:54.

  7. #7
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    back to the security topic. this seems VERY insecure to me that others could access your files.

    couldn't this be done too: you store a PHP file w/ your MySQL username/password outside of the Web root to keep it "secure," right? again, can't someone on the same machine read those files w/ their own PHP script and have your DB password then? and then they could delete your DB or anything! i don't like that at all if it's possible.

  8. #8
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As I understand it - yes!

  9. #9
    SitePoint Wizard johnn's Avatar
    Join Date
    Mar 2001
    Location
    Southern California, USA
    Posts
    1,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    DR_LaRRY_PEpPeR,
    Can you ask your host if there's a way to prevent this problem if you use shared host and post it here?
    Thanks,
    John

  10. #10
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i don't have the host yet, but i will ask them anyway (pretty sure i know who i'm getting) and see what they have to say about it. and i WILL report back.

  11. #11
    SitePoint Addict jamesbond's Avatar
    Join Date
    Feb 2001
    Location
    The Netherlands
    Posts
    256
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    just take my PHP script out of the picture for a sec. what malicious things can be done when the directory is chmod 666 or 777 so PHP can write to it? or aren't there any? i'm sure there are though. is what i mentioned in my example possible? can someone else on the same server make a script to access my files since both of our scripts are running as the same user? that's the stuff i don't understand.
    Regarding chmod settings...

    If you have php installed with ftp functions couldn't you have a script that does the following?
    (http://www.php.net/manual/en/ref.ftp.php)

    1. chmod directory 777 using php's ftp functions
    2. upload files into directory
    3 chmod directory 755 using php's ftp functions

    Disadvantage would be that you would have to store your ftp username & password (encrypted) in a file or database.

  12. #12
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    johnn, i asked the question on (what i think will be) my host's forum and someone said that they fixed that problem, unlike a lot of hosts, and there's nothing to worry about. at that host anyway. i hope it's true. BTW, the host is www.aletiahosting.com.

    so there ya go.

  13. #13
    SitePoint Guru DenverDave's Avatar
    Join Date
    Feb 2001
    Location
    Denver, Colorado
    Posts
    630
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    DR Larry

    Thank you very much for asking about upload security. I also, have been told that uploading introduces security risks. However, it is hard to devise a scheme to minimize risks when I'm not sure what I am protecting against.

    In my situation, clients want to upload images, text files and some html files. The upload script located in a separate non-public directory requests a password, but the destination directory is 777. I have wondered how easy it would be for others to go around my script and do what ever they want with the directory.

    It seems like better programmers than I have figured out the best security for uploads - but what approach is best?

    It also seems a little silly to have to upload a file to determine that it is too big to keep. Does anyone have some Javascript / php examples to test the file size before uploading? What upload script is best?

    Thank you.
    Dave

  14. #14
    SitePoint Wizard johnn's Avatar
    Join Date
    Mar 2001
    Location
    Southern California, USA
    Posts
    1,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you Doctor Larry Pepper.

    About upload file size, in php.ini there is a directive called upload_max_filesize that you can set. For example, to set the maximum uploaded file size to be 2 Mbytes:

    upload_max_filesize = 2097152

    Use .htaccess to specify php.ini directives:

    php_value upload_max_filesize = 2097152

    In your form, enter this line at the beginning:
    <INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="1000">
    ...maybe in Kevin Yank article "Database Driven..." has a script...

    As I understand, upload_max_filesize overrides MAX_FILE_SIZE if MAX_FILE_SIZE is the larger number.

    As for security, check the first scarlettxt article in my signature. I think it has a link in that article, or you can use google to find info about it.

    John

  15. #15
    SitePoint Guru DenverDave's Avatar
    Join Date
    Feb 2001
    Location
    Denver, Colorado
    Posts
    630
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    MAX_FILE_SIZE does work, but only AFTER the file is uploaded. Wouldn't it be nice if a JavaScript function could warn or prevent the TOO BIG file from being uploaded in the first place?

  16. #16
    SitePoint Wizard johnn's Avatar
    Join Date
    Mar 2001
    Location
    Southern California, USA
    Posts
    1,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •