SitePoint Sponsor

User Tag List

Results 1 to 5 of 5

Thread: PHP Security

  1. #1
    SitePoint Enthusiast
    Join Date
    May 2008
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP Security

    This is more of a general question about application security.

    We have an application that we would like to allow two things in it. First allow to upload a zip file that will populate and create directories and files (php as well) in the application directory. Those files will be part of the actual application (IE: We upload a zip file and the system populates it into the appropriate directory and then we have a new section in our site, Like all kind of Open Source softwares do it Like wordpress, Joomla except that instead uploading the directories and files manually to the FTP we upload it through a zip file from the ACP and it populates the files and directories into the appropriate directories). Same thing applies to the template views we have. We have them made as PHP files inside a certain directory so if an admin would like to edit them he could do that through the ACP and save it directly into the file. The problem here is again because of the template views directory needs to be chmod for read and write it can lead to a serious security flows.

    So my question here is, Under those circumstances what should be done in order to both have those options in the system and yet not causing any potential security holes and flows.

  2. #2
    SitePoint Addict ArunB's Avatar
    Join Date
    Jun 2008
    Location
    Hyderabad
    Posts
    252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Give read and write permissions only to the webserver (to the user, which webserver is using).

    How you are going to make sure that the zip doesn't contain a bad script which deletes your database/deletes your application?

  3. #3
    SitePoint Zealot seoindiauk's Avatar
    Join Date
    Aug 2009
    Location
    New Delhi, India
    Posts
    124
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Go to through the robot text and disallow the desired file(s).

  4. #4
    SitePoint Zealot cpace1983's Avatar
    Join Date
    Sep 2009
    Posts
    153
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ArunB View Post
    Give read and write permissions only to the webserver (to the user, which webserver is using).

    How you are going to make sure that the zip doesn't contain a bad script which deletes your database/deletes your application?
    Do a MD5 sum on the uploaded ZIP file, as compared to "officially supported plugins/software updates"?

    That's what I would do, anyways.
    I am a Freelance Linux Consultant.
    I offer flat rate Linux support, as well as hourly support.
    Feel free to visit my blog, Ramblings of a Linux Administrator.

  5. #5
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What is the particular security risk that you want to prevent? Files uploaded by someone not authorized to do so somehow?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •