SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Enthusiast
    Join Date
    Sep 2011
    Posts
    45
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Upload site Flagged By AV's - How to overcome?

    So my site gets flagged by AV's because once in a while a virus will be uploaded.

    Now this doesnt affect sites like fileave.com which actually have viruses on their system, so how come it affects us?

    My site is currently just a php upload site, would maybe have mysql store the files help? I don't know, im just asking for tips/methods.

    Thanks.

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    The other use JavaScript and button presses and other things that make it hard for robots to get the files.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Enthusiast
    Join Date
    Sep 2011
    Posts
    45
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ah, so just javascript the whole thing?

  4. #4
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Do you want to allow infected content to be uploaded and made available? If not, move the infected file outside of web-root upon upload, and schedule a scan (clamav et al). If it's clean, move to another folder which would then make it available for download.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  5. #5
    SitePoint Enthusiast
    Join Date
    Sep 2011
    Posts
    45
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Anthony, no i don't! I've got a cronjob on the server deleting all .exe files every 4 hours, just because of the issue that there may be viruses.

    Would you suggest having all uploaded files be uploaded to a different location? If so, which?

    At the moment, files are uploaded to (Root)/Uploads

  6. #6
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    .exe files aren't necessarily bad, you may want to bear that in mind.

    Where would I put them? I'd probably have a stucture that looks something like:-

    Code:
    /data/uploads/{files-go-here}
    /www/assets/css/
    /www/assets/js/
    /www/assets/img/
    /www/index.php
    I would have my web server (Apache, IIS, NginX) serve the contents of the 'www' directory. Can you see how the 'data' directory wouldn't be served up by the web server? This is where I'd move the files to, users would be unable to access them. I would then have the application decide whether or not to obtain and deliver the file to the user, a proxy if you will.

    Does the request file exist, has it been scanned, if so, deliver it to the user.

    Does that make sense?
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  7. #7
    SitePoint Enthusiast
    Join Date
    Sep 2011
    Posts
    45
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes it does, and sounds reasonable.

    So i would move from the current structure of:

    Code:
    Within Root directory
    /index.php
    /upload.php
    /Uploads
    ...etc...
    to

    Code:
    Within root directory
    /index.php
    /upload.php
    ...etc...
    
    Outside root
    Uploads
    It sounds do-able (my skills in mind), could i just ask how i would point to the folder Uploads in my php script?

    I'm planning to put all uploads in there, and have them called from that directory when people want to download them.

    Code:
    <?php
    ob_start();
    
    session_start();
    
    $extensions = array("jpg", "png","jpeg", "gif", "zip", "rar", "swf", "tiff", "bmp", "txt", "fla", "7z", "tar", "gz", "iso", 
    
    "dmg", "mp3", "wav", "m4a", "aac", "doc", "docx", "xls", "rtf", "ppt", "bsd", "exe", "psd", "c4d", "pdf", "dwg", "max", "ipa", 
    
    "vtf", "iam", "ipt", "flv", "cap", "scr");
    $maxsize = 104288000;
    $server = "http://www.uploadvillage.com";
    
    $name = $_FILES['file']['name'];
    $temp = $_FILES['file']['tmp_name'];
    $size = $_FILES['file']['size'];
    
    $random = md5(uniqid(rand(), true));
    $random = substr($random, 0, 20);
    
    if (!$name || !$temp || !$size)
    {
       echo "Go back and select a file.";
       exit();
    }
    
    foreach ($_FILES as $file)
    {
     if ($file['tmp_name'] != null) 
     {
    	$thisext1=explode(".", strtolower($file['name']));
    	$thisext=$thisext1[count($thisext1)-1];
      if (!in_array($thisext, $extensions))
      {
        echo "That file type is not allowed.";
       exit(); 
      }
     }
    }
    
    if ($size > $maxsize)
    {
       echo "File size too big.";
       exit();
    }
    
    $destination = "Uploads/".$random;
    mkdir($destination);
    move_uploaded_file($temp, $destination."/".$name);
    
    $final = $server."/".$destination."/".$name;
    
    $contents = file_get_contents("http://is.gd/create.php?format=simple&url=$final");
    
    
    ?>

  8. #8
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Your path to the uploads directory would simply just move up a level, like, '../uploads/'. The double period moves the path up a level.

    Code:
    $destination = '../uploads/' . $random ;
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  9. #9
    SitePoint Enthusiast
    Join Date
    Sep 2011
    Posts
    45
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cheers for the help Anthony, doesn't seem to like that directory.

    Code:
    $server = "http://www.mysite.com";
    
    $name = $_FILES['file']['name'];
    $temp = $_FILES['file']['tmp_name'];
    $size = $_FILES['file']['size'];
    
    $destination = '../uploads/'. $random;
    mkdir($destination);
    move_uploaded_file($temp, $destination."/".$name);
    
    $final = $server."/".$destination."/".$name;
    The final URL echos out as: http://mysite.com/uploads/randomstring/file.txt

    It has full permission at the moment.

  10. #10
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,810
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    You can't supply web addresses for files outside the root folder. What you do instead is have a PHP script that retrieves the content of that file and delivers it instead. The actual filename would be passed to the script that does the retrieval.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  11. #11
    SitePoint Enthusiast
    Join Date
    Sep 2011
    Posts
    45
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So looking at my script in particular, would it be right in saying...

    $yourfile = file_get_contents("/var/www/vhosts/domain.com/Upload/randomstring/file.txt")

    Then echo that out elsewhere?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •