Ticket #183 (closed task: fixed)

Opened 12 years ago

Last modified 12 years ago

Security: Write only upload dir, script to move to a read only dir

Reported by: kmaclean Owned by: kmaclean
Priority: major Milestone: SpeechSubmission 0.1
Component: SpeechSubmission Version: Website 0.2
Keywords: Cc:

Description

need a write only upload directory, that is inaccessible to users. Then have a cron script on the Voxforge repository server that will validate (clamav, remove executables, ...) the submission, and move it to a read only directory.

Change History

comment:1 Changed 12 years ago by kmaclean

  • Priority changed from critical to major

comment:2 Changed 12 years ago by kmaclean

However, Apache seems to need other read and execute permissions in order to even display the index of the page ... or to even download a zip file.

comment:3 Changed 12 years ago by kmaclean

see this article Secure file upload in PHP web applications

Preventing arbitrary code execution on a web server

Preventing an attacket from upload a PHP file, such as a PHP shell and executing arbitrary commands on the server with the privilege of the web server process:

<?php
system($_GET['command']);
?>

Content-type verification

attacker can still set the mime type of the document to whatever is being accepts by the site, and upload PHP shell.

File name extension verification

What file extensions will be passed on to the PHP interpreter will depend on the server configuration. A developer often has no knowledge and no control over the configuration of the web server where his application is running. We have seen web servers configured to pass files with .html and .js extensions to PHP.

Solution: Indirect access to the uploaded files

The solution is to prevent the users from requesting uploaded files directly. This means either storing the files outside of the web root or creating a directory under the web root and blocking web access to it in the Apache configuration or in a .htaccess file.

Local file inclusion attacks

Even though uploaded files are outside of the web root where they cannot be accessed and executed directly, if the attacker is able to upload files, even outside the web root, and he knows the name and location of the uploaded file, by "including" his uploaded file he can run arbitrary code on the server.

Conclusion

The most important safeguard is to keep uploaded files where they cannot be directly accessed by the users via a direct URL. This can be done either by storing uploaded files outside of the web root or configuring the web server to deny access to the uploads directory.

Another important security measure is to use system-generated file names instead of the names supplied by users when storing files on the file system to prevent prevent local file inclusion attacks.

comment:4 Changed 12 years ago by kmaclean

  • Status changed from new to closed
  • Resolution set to fixed

For security reasons, the Speech Submission will upload audio submissions to a directory that is not accessible from the Internet. The thank you page will display a list of all pending submissions - these will be processed manually for the time being.

comment:5 Changed 12 years ago by root

  • Milestone SpeechSubmission 0.1 deleted

Milestone SpeechSubmission 0.1 deleted

comment:6 Changed 12 years ago by kmaclean

  • Milestone set to SpeechSubmission 0.1
Note: See TracTickets for help on using tickets.