SmartFAQ is developed by The SmartFactory (http://www.smartfactory.ca), a division of InBox Solutions (http://www.inboxsolutions.net)

Can users upload viruses to my site?
  Requested and Answered by Carnuke on 2004/11/23 14:39:46     9725  reads 
If you are running modules that allow users to upload material of any sort, you should take extra precautions to protect your website and possible proliferation of suspect material through user downloads. An important step to prevent virus uploads and other malicious code is to limit the types of files that users can upload. There are 2 issues here: protecting the server side (your server) and protecting the client side. (your users) As a general rule, limit file upload types to .png .gif .jpg .zip .rar .tar.gz This means that users may still upload other files types packed in a zip or rar, .tar.gz but download users have a chance to scan the download package before decompressing and opening them. A file with an extension of ".exe" has, by default, a Mime type of "application/octet-stream" with Apache. It will not be processed by the server. If requested or linked, it will be sent as a binary stream to the requester. At that point, the client's browser will typically open a dialog box asking if you want to save it or run it locally. But that depends on the client browser. Regardless, it will not be processed as a PHP file on the server end. Doing dynamic includes is very risky - particularly if you are also allowing your users to upload files elsewhere on the page. Consider you have a forum that allows users to upload an avatar or attach files to their posts and this script fails to adequately check the file type of the upload. Then a malicious user might create a file "exploit.jpg" that was actually a php file containing some malicious code. e.g.
<?php
echo "<strong>H4H D00D UR 73H L4M3R!!!11!!<strong>";
?>
This code would normally not be able to be run due to the extension being linked to the image/jpeg MIME-type but PHP does not check these things when using include or require - so the code could be run by calling http://yourdomain.com/yourscript.ph...ars/exploit.jpg The example here would just embarass you (and good grammar) by calling you 73H L4M3R; a real exploit might deliberately trash your site or overload the server disrupting your own service and others. Other ways to protect your scripts is by using .htaccess to determine exactly how files are processed. Definition of.htaccess


The comments are owned by the author. We aren't responsible for their content.


Login

Who's Online

70 user(s) are online (1 user(s) are browsing XOOPS FAQ)


Members: 0


Guests: 70


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Aug 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Did you know ?

You can modify the confirmation email send to your new users

Random question

is it possible to use more than one theme on a xoop site. I'd like to implement different themes to different areas of my site
cheers