Secure upload of Word files

I need to allow for Word docs to be uploaded by registered users to a site and am finding their MIME types are either application/msword for .doc or application/vnd.openxmlformats-officedocument.wordprocessingml.document for .docx. I’m now using finfo->buffer to check the MIME type which is apparently more secure.

Anyway, I’m finding the MIME type for some Word docs is application/zip or application/octet-stream (I guess depending on how they’re saved). The latter could be an executable I suppose. If I allow these to be uploaded and not directly accessible (i.e. outside root or in folder with Deny from all and PHP engine disabled) and then use readfile to allow the web admins to download them — sending out the appropriate headers —are there any risks involved? I.e. if I sent out Content-Type: application/msword and then use readfile does that offer any security?

In these situations do you just make sure that a) the file can’t be executed on the web server and b) the end user’s anti-virus would pick up on it if it was malicious when they downloaded it. (Not used anti-virus in years myself as use Mac and Linux!).

Thanks.

If I recall correctly MIME type allows you to check what it is during transfer, after download you can touch the file directly to verify what it is. Transferring a file with the wrong MIME type risks corrupting it. application/octet-stream is one of the more universal types for the transfer of binary data files - again if memory serves you can, in theory, transfer any file as an octet stream, but deriving its role after transfer becomes difficult.

Also keep in mind that even if you do isolate the uploads to Word alone, word has a fairly powerful inbuilt scripting engine that can wreck a fair amount of havoc in the hands of an attacker.

I would recommend virus scan at upload time conducted by the server. Defense in depth never hurt, and this way an attack script must get by both the server and the user’s local scan.

To think Mac and Linux are impervious to viruses is downright foolish - Most web server attacking viruses are written to attack Linux because it has the largest market share for web servers. That said, continuous scan antivirus programs like Norton and McAffee have become a fool’s errand. Modern viruses can change their file signatures on the fly making pattern based identification useless. More invasive monitoring of the system by an antivirus program can chew up more CPU cycles than the virus would if unchallenged - becoming a case of the cure being worse than the disease.

But I’ll stop there. I know very, very little about security protocols and I’m not qualified to give an extensive lecture on them. If you think you’re safe from viruses just becuase you’re on a *nix box, you know less than I do and seriously need to educate yourself before a machine you’re responsible for is compromised.

Hi Michael_Morris,

Thanks for the reply.

The file type uses for PHP uploads can really be set to anything but is usually set by the browser, so should not be trusted. As far as I know, once it’s on the server finfo->buffer is more accurate, though not infallible.

Also keep in mind that even if you do isolate the uploads to Word alone, word has a fairly powerful inbuilt scripting engine that can wreck a fair amount of havoc in the hands of an attacker.

I guess that’s really my question: once downloaded to a user’s computer as a .doc file, what damage can it do on a Windows OS? And what sort of anti-virus do you need to protect yourself against it?

If you think you’re safe from viruses just becuase you’re on a *nix box, you know less than I do and seriously need to educate yourself before a machine you’re responsible for is compromised.

I don’t for one minute think Linux servers are impervious. I actually meant downloaded files have never bothered me as I only run Linux and OS X desktops. I have done so for 10+ years without anti-virus or firewall and have yet to have a virus. Maybe I’m just lucky.

I guess that’s really my question: once downloaded to a user’s computer
as a .doc file, what damage can it do on a Windows OS? And what sort of
anti-virus do you need to protect yourself against it?

This article covers it well enough. http://support.microsoft.com/kb/211607

I don’t for one minute think Linux servers are impervious. I actually
meant downloaded files have never bothered me as I only run Linux and OS
X desktops. I have done so for 10+ years without anti-virus or firewall
and have yet to have a virus. Maybe I’m just lucky.

I don’t run continuous scan antivirus on my Windows 7 box and haven’t been infected either, but I still scan incoming files on both my Windows and Mac. Windows XP is an unsecurable pile, but Vista and on are no worse than *nix boxes, though they used to face far more attack attempts. With the rise of Android though Linux is now subject to the same level of interest by attackers as Windows - at least for that variant of the platform. The one advantage Linux will always have over Windows and OSX/iOS is the diversity of the distros makes it very difficult, if not impossible, to write an attack that can hit them all.

Running without a firewall, at least in the router, is an unnecessary risk. You do have a firewall in your router unless you deliberately turned it off - the one in the OS is somewhat redundant.

Thanks for the info, very useful.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.