Solve : Site Vulnerability?

1.	Solve : Site Vulnerability?
Answer» I just noticed it today, all the things that make my site vulnerable to everything. People can upload PHP files to take over, people might just have the knowledge of whats located where in my site to take it over, and everything like that. What can I do to protect my site? (Just as I was downloading PSAK for my site, aka, Swiss Army Knife, because I left my PostNuke disabled, I REALIZED all the PROBLEMS that I could have with things like hackers, DoS attacks, and whatnot. ) any advice welcome.HOW can people upload files to your site? Are you saying they may be able to crack your FTP access? Then change your password frequently and make it a strong one.Quote HOW can people upload files to your site? Are you saying they may be able to crack your FTP access? Then change your password frequently and make it a strong one. No no no. I have upload forms. (Not yet available to public) People don't know the upload directory, but what if they just went anonymous FTP and found it? They could upload a PHP file that could potentially take over... And there are many other ways. How about this: How would I force an upload form to deny a PHP file?Quote People don't know the upload directory, but what if they just went anonymous FTP and found it? Disable anonymous FTP access, or point it a a directory that prevents them viewing any other directories. Quote They could upload a PHP file that could potentially take over... Only if anonymous uploading is permitting AND such uploads can be accessed via the web server. Please tell me you're not that silly? That is pretty much the most insecure setup you could create for any web site. Quote How would I force an upload form to deny a PHP file? Wrong question. You NEVER trust anything uploaded by a user. So you NEVER let a user upload to a folder that can then be accessed through the web server. The reasons for that should be obvious... If an OUTSIDE user can force the web server to parse a file he uploaded, he can do pretty much anything he likes with your server. Therefore, whatever form processes the upload should check the file first, and enforce requirements (such as determining the file name and final location). NEVER EVER put your web server in a position where it can be FORCED to run a file (of ANY TYPE) uploaded by a user. Have I said that enough times yet? Quote Quote People don't know the upload directory, but what if they just went anonymous FTP and found it? Disable anonymous FTP access, or point it a a directory that prevents them viewing any other directories. I believe it is already disabled. But just to be sure, I will check... Quote Quote They could upload a PHP file that could potentially take over... Only if anonymous uploading is permitting AND such uploads can be accessed via the web server. Please tell me you're not that silly? That is pretty much the most insecure setup you could create for any web site. They could upload a PHP file through the form. (which is not available to the public) (In fact, its protected and password restricted right now) Quote Quote How would I force an upload form to deny a PHP file? Wrong question. You NEVER trust anything uploaded by a user. So you NEVER let a user upload to a folder that can then be accessed through the web server. The reasons for that should be obvious... If an outside user can force the web server to parse a file he uploaded, he can do pretty much anything he likes with your server. Therefore, whatever form processes the upload should check the file first, and enforce requirements (such as determining the file name and final location). NEVER EVER put your web server in a position where it can be FORCED to run a file (of ANY TYPE) uploaded by a user. Have I said that enough times yet? The form is what would allow any file to be uploaded. Not FTP. Re-write: "How would I make a form only allow images to be uploaded" (as the form is for images. And I would like images to be uploaded there. ) Do not store the incoming file in a folder that is within your webroot You will need to rename the file, or at least check the filename, to prevent any existing files from being overwritten Check the the file has an acceptable extension - .jpg, .gif, etc. Use a PHP script to enable the image to be downloaded, but never run Consider using the PHP image functions to test whether the file is an image (by checking its size, for example) Consider emailing to you a copy of all uploaded files Quote Do not store the incoming file in a folder that is within your webroot You will need to rename the file, or at least check the filename, to prevent any existing files from being overwritten Check the the file has an acceptable extension - .jpg, .gif, etc. Use a PHP script to enable the image to be downloaded, but never run Consider using the PHP image functions to test whether the file is an image (by checking its size, for example) Consider emailing to you a copy of all uploaded files Well, in that case, I think I am MOSTLY fine. I can rename the files as they come in. I am sent an email with a link to the file, and the files are automatically renamed. I will start another thread about acceptable file extensions. So, for now, I think I am all good!If you keep the account safe, leave the rest to Scott FlameQuote If you keep the account safe, leave the rest to Scott Flame Scott? BTW: Flame, I have been sending emails to [emailprotected] , and have received no replies.

Answer»

I just noticed it today, all the things that make my site vulnerable to everything.
People can upload PHP files to take over, people might just have the knowledge of whats located where in my site to take it over, and everything like that.

What can I do to protect my site?

(Just as I was downloading PSAK for my site, aka, Swiss Army Knife, because I left my PostNuke disabled, I REALIZED all the PROBLEMS that I could have with things like hackers, DoS attacks, and whatnot. )
any advice welcome.HOW can people upload files to your site? Are you saying they may be able to crack your FTP access? Then change your password frequently and make it a strong one.Quote

HOW can people upload files to your site? Are you saying they may be able to crack your FTP access? Then change your password frequently and make it a strong one.

No no no. I have upload forms. (Not yet available to public)
People don't know the upload directory, but what if they just went anonymous FTP and found it?
They could upload a PHP file that could potentially take over...

And there are many other ways.

How about this:
How would I force an upload form to deny a PHP file?Quote

People don't know the upload directory, but what if they just went anonymous FTP and found it?

Disable anonymous FTP access, or point it a a directory that prevents them viewing any other directories.

Quote

They could upload a PHP file that could potentially take over...

Only if anonymous uploading is permitting AND such uploads can be accessed via the web server.

Please tell me you're not that silly? That is pretty much the most insecure setup you could create for any web site.

Quote

How would I force an upload form to deny a PHP file?

Wrong question. You NEVER trust anything uploaded by a user. So you NEVER let a user upload to a folder that can then be accessed through the web server. The reasons for that should be obvious... If an OUTSIDE user can force the web server to parse a file he uploaded, he can do pretty much anything he likes with your server.

Therefore, whatever form processes the upload should check the file first, and enforce requirements (such as determining the file name and final location).

NEVER EVER put your web server in a position where it can be FORCED to run a file (of ANY TYPE) uploaded by a user.

Have I said that enough times yet? Quote

Quote
People don't know the upload directory, but what if they just went anonymous FTP and found it?
Disable anonymous FTP access, or point it a a directory that prevents them viewing any other directories.

I believe it is already disabled. But just to be sure, I will check...
Quote

Quote
They could upload a PHP file that could potentially take over...
Only if anonymous uploading is permitting AND such uploads can be accessed via the web server.

Please tell me you're not that silly? That is pretty much the most insecure setup you could create for any web site.

They could upload a PHP file through the form. (which is not available to the public) (In fact, its protected and password restricted right now)
Quote

Quote
How would I force an upload form to deny a PHP file?
Wrong question. You NEVER trust anything uploaded by a user. So you NEVER let a user upload to a folder that can then be accessed through the web server. The reasons for that should be obvious... If an outside user can force the web server to parse a file he uploaded, he can do pretty much anything he likes with your server.

Therefore, whatever form processes the upload should check the file first, and enforce requirements (such as determining the file name and final location).

NEVER EVER put your web server in a position where it can be FORCED to run a file (of ANY TYPE) uploaded by a user.

Have I said that enough times yet?

The form is what would allow any file to be uploaded. Not FTP.
Re-write: "How would I make a form only allow images to be uploaded"
(as the form is for images. And I would like images to be uploaded there. )

Do not store the incoming file in a folder that is within your webroot
You will need to rename the file, or at least check the filename, to prevent any existing files from being overwritten
Check the the file has an acceptable extension - .jpg, .gif, etc.
Use a PHP script to enable the image to be downloaded, but never run
Consider using the PHP image functions to test whether the file is an image (by checking its size, for example)
Consider emailing to you a copy of all uploaded files

Quote

Do not store the incoming file in a folder that is within your webroot
You will need to rename the file, or at least check the filename, to prevent any existing files from being overwritten
Check the the file has an acceptable extension - .jpg, .gif, etc.
Use a PHP script to enable the image to be downloaded, but never run
Consider using the PHP image functions to test whether the file is an image (by checking its size, for example)
Consider emailing to you a copy of all uploaded files

Well, in that case, I think I am MOSTLY fine.
I can rename the files as they come in. I am sent an email with a link to the file, and the files are automatically renamed.
I will start another thread about acceptable file extensions.
So, for now, I think I am all good!If you keep the account safe, leave the rest to Scott

FlameQuote

If you keep the account safe, leave the rest to Scott

Flame

Scott?
BTW: Flame,
I have been sending emails to [emailprotected] , and have received no replies.

Solve : Site Vulnerability?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment