Can users upload viruses to my site?

Requested and Answered by Carnuke on 2004/11/23 14:39:46

Can users upload viruses to my site?

If you are running modules that allow users to upload material of any sort, you should take extra precautions to protect your website and possible proliferation of suspect material through user downloads. An important step to prevent virus uploads and other malicious code is to limit the types of files that users can upload. There are 2 issues here: protecting the server side (your server) and protecting the client side. (your users) As a general rule, limit file upload types to .png .gif .jpg .zip .rar .tar.gz This means that users may still upload other files types packed in a zip or rar, .tar.gz but download users have a chance to scan the download package before decompressing and opening them. A file with an extension of ".exe" has, by default, a Mime type of "application/octet-stream" with Apache. It will not be processed by the server. If requested or linked, it will be sent as a binary stream to the requester. At that point, the client's browser will typically open a dialog box asking if you want to save it or run it locally. But that depends on the client browser. Regardless, it will not be processed as a PHP file on the server end. Doing dynamic includes is very risky - particularly if you are also allowing your users to upload files elsewhere on the page. Consider you have a forum that allows users to upload an avatar or attach files to their posts and this script fails to adequately check the file type of the upload. Then a malicious user might create a file "exploit.jpg" that was actually a php file containing some malicious code. e.g.

echo "H4H D00D UR 73H L4M3R!!!11!!";
?>
This code would normally not be able to be run due to the extension being linked to the image/jpeg MIME-type but PHP does not check these things when using include or require - so the code could be run by calling http://yourdomain.com/yourscript.ph...ars/exploit.jpg The example here would just embarass you (and good grammar) by calling you 73H L4M3R; a real exploit might deliberately trash your site or overload the server disrupting your own service and others. Other ways to protect your scripts is by using .htaccess to determine exactly how files are processed. Definition of.htaccess

This Q&A was found on XOOPS Web Application System : https://xoops.org/modules/smartfaq/faq.php?faqid=184