file uploads, Unix file permissions, and security

[DR_LaRRY_PEpPeR]

i don't exactly understand what the security risks are with file uploads. i'm making a PHP script where people will be able to upload a picture and i know that the directory where i'm gonna store the files has to be writable by PHP (777 i guess). i understand all of that. and i know how to make sure that it's an actual file upload and all that stuff. no problem.

but what are the security risks (on a shared host) that are always mentioned, with the directory being writable by PHP? what can happen? could someone on my host that knows my username like make a PHP script and go to my directory (like /home/username/public_html/pictures) and delete all the files or something, since their PHP script, i assume, is running as the same user as me?

i've never really seen a good explanation of the security risks of world writable dirs. so if someone could explain what bad things could be done, how they could be done, and what, if anything, can be done to prevent them i'd really appreciate it!

thanks!

[freakysid]

In this thread:
http://www.sitepointforums.com/showt...threadid=28047

I made reference to this article:
http://www.securereality.com.au/studyinscarlet.txt

which from memory discusses security and file uploads.

It seems to me that the main security risks associated with php come from a couple of features that make is a convenient langauge for us lazy programmers to use.

1) Not needing to explicitly declare variables ahead of use.

2) Throwing the apache global environment variables into the global namespace. register_globals

The problem here is when the programmer ASSUMES that the value of a certain variable is being set through the intended method - as a POST or GET, etc, variable. However, the fact that the contents of these environment variables - HTTP_POST_VARS[], HTTP_GET_VARS[], etc, are thrown into the gloabal namespace and referenced this way by the programmer means that a lot of the time the programmer is really just ASSUMING that the data is coming from where it is expected.

[DR_LaRRY_PEpPeR]

freakysid, i understand all of that and have no problems verifying where the file came from. i've read that very good article before.

just take my PHP script out of the picture for a sec. what malicious things can be done when the directory is chmod 666 or 777 so PHP can write to it? or aren't there any? i'm sure there are though. is what i mentioned in my example possible? can someone else on the same server make a script to access my files since both of our scripts are running as the same user? that's the stuff i don't understand.

[freakysid]

hehe - OK. You know it is a very good question and I think that the answer is YES! - any other user on a shared machine would be able to (if they know the correct path to your directory) would be able to write to your world writable, or even your apache user writable, directory. Furthermore - depending on how ftp has been setup - the user might be able to navigate around the filesystem using ftp!

I believe this is why it is becoming popular to set up shared servers where each user has their own copy of apache, etc, etc running as different users and not sharing the same apache binary as is the traditional way of shared hosting.

It is an interesting point and it should probably also be noted that the cost of leasing a dedicated server with a reasonable internet connection is becoming quite cheap these days. Prices for decent servers and decent connections start at $100 a month.

[Defender1]

really...?
i remember when getting a dedi from a hosting company would cost upwards of $500-1000 a month.

[freakysid]

Well you are not going to get a superb network with BPG (or what ever its called - I don't even understand these network and telecommunicat infrastructure things) but I am leasing a dedicated server and 100GB transfer for $129 per month (PIII 750MHz, 512MB RAM, 40gig EIDE HDD - only 5,400rpm. Its not the most brilliant and fast internet connection - I can only seem to burst up to around 200KBytes per second most of the time - so somewhere the line is being capped. But it seems to be a very stable and sound connection (not a single packet lost in over two weeks!) and sufficient be running a few medium trafficed sights off. I got my server from www.pwebtech.com . However it was a special offer and I am not sure whether they will repeat it.

Then to serve purley static content (images, media, etc), or just one or two medium CPU intensive sites, or a mail server (if you can put up with the RAQ CP, and config - that abomination known as Sendmail, etc) you can get a RAQ4i with 512MB RAM for around the same price per month from www.rackshack.net - which includes 300GB bandwidth! People seem to be pretty happy with the quality of the network connection from what I hear - even if they are not so equal in their praise of support.

There are other providers who are providing around this price point too (around $100=$150). But this is bottom of the market. And as always, although you don't always get what you pay for, you certainly aint going to get anything for free either!

[DR_LaRRY_PEpPeR]

back to the security topic. this seems VERY insecure to me that others could access your files.

couldn't this be done too: you store a PHP file w/ your MySQL username/password outside of the Web root to keep it "secure," right? again, can't someone on the same machine read those files w/ their own PHP script and have your DB password then? and then they could delete your DB or anything! i don't like that at all if it's possible.

[freakysid]

As I understand it - yes!

[johnn]

DR_LaRRY_PEpPeR,
Can you ask your host if there's a way to prevent this problem if you use shared host and post it here?
Thanks,
John

[DR_LaRRY_PEpPeR]

i don't have the host yet, but i will ask them anyway (pretty sure i know who i'm getting) and see what they have to say about it. and i WILL report back.

[jamesbond]

just take my PHP script out of the picture for a sec. what malicious things can be done when the directory is chmod 666 or 777 so PHP can write to it? or aren't there any? i'm sure there are though. is what i mentioned in my example possible? can someone else on the same server make a script to access my files since both of our scripts are running as the same user? that's the stuff i don't understand.

Regarding chmod settings...

If you have php installed with ftp functions couldn't you have a script that does the following?
(http://www.php.net/manual/en/ref.ftp.php)

1. chmod directory 777 using php's ftp functions
2. upload files into directory
3 chmod directory 755 using php's ftp functions

Disadvantage would be that you would have to store your ftp username & password (encrypted) in a file or database.

[DR_LaRRY_PEpPeR]

johnn, i asked the question on (what i think will be) my host's forum and someone said that they fixed that problem, unlike a lot of hosts, and there's nothing to worry about. at that host anyway. i hope it's true. BTW, the host is www.aletiahosting.com.

so there ya go.

[DenverDave]

DR Larry

Thank you very much for asking about upload security. I also, have been told that uploading introduces security risks. However, it is hard to devise a scheme to minimize risks when I'm not sure what I am protecting against.

In my situation, clients want to upload images, text files and some html files. The upload script located in a separate non-public directory requests a password, but the destination directory is 777. I have wondered how easy it would be for others to go around my script and do what ever they want with the directory.

It seems like better programmers than I have figured out the best security for uploads - but what approach is best?

It also seems a little silly to have to upload a file to determine that it is too big to keep. Does anyone have some Javascript / php examples to test the file size before uploading? What upload script is best?

Thank you.
Dave

[johnn]

Thank you Doctor Larry Pepper.

About upload file size, in php.ini there is a directive called upload_max_filesize that you can set. For example, to set the maximum uploaded file size to be 2 Mbytes:

upload_max_filesize = 2097152

Use .htaccess to specify php.ini directives:

php_value upload_max_filesize = 2097152

In your form, enter this line at the beginning:
<INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="1000">
...maybe in Kevin Yank article "Database Driven..." has a script...

As I understand, upload_max_filesize overrides MAX_FILE_SIZE if MAX_FILE_SIZE is the larger number.

As for security, check the first scarlettxt article in my signature. I think it has a link in that article, or you can use google to find info about it.

John

[DenverDave]

MAX_FILE_SIZE does work, but only AFTER the file is uploaded. Wouldn't it be nice if a JavaScript function could warn or prevent the TOO BIG file from being uploaded in the first place?

[johnn]

http://www.faqts.com/knowledge_base/...aid/288/fid/47