Security issues with add
I just implemented uploadify in my project and I noticed what seems to be an important security issue when uploading:
The folder where the file should be uploaded is provided as a javascript argument, therefore client side. If the user modifies the script and fills in a different folder (ie "/") for upload, the file is uploaded to a different folder.
There is an option in the config to filter file types, but again this is provided on the client side ("fileExt").
How am I wrong in thinking this could lead to a possible hack? Loading a php file anywhere in the web root and executing it seems easy.
- Is this the desired behavior?
- Should I just cross check the upload folder in the uploadify.php file?
- Do I have to send a notification to download producers?
I'm sure I'm not the first to think about it. Oh, and the same goes for other config options like sizeLimit and queueSizeLimit.
source to share
Just looked at the code (it hasn't been installed anywhere) and it seems to be a security issue. Looking at uploadify.php I see the following:
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
This means that passing a "/" puts the file in the document root (ie your site's home directory). Of course, the user could easily (for example) pass in a folder parameter such as "../../etc" and a file named "passwd". Or, more trivial, he can upload "logo.jpg" to the root of the document and hey, now you've got the porn for the logo!
Of course, even if you are a sandboxed user, there are still many potential problems allowing a user to randomly upload a file to your server. What if they download a .php file and then navigate to that file with their browser? They suddenly have the ability to execute arbitrary code on your server!
If you want to do this, you must force the user to load into a restricted directory (the realpath function will sanitize the path if the user created crazy paths with "../ .." or whatever) and you must restrict the types of files allowed ( ie just ".jpg", ".gif", ".png" or whatever) Even then, an attacker could execute DOS by filling the disk quota.
source to share
I just want to give my opinion on your post. You forget important things in your analysis. Developers should check the variables on the server side script. If you are using javascript (like uploadify or your own script), or if you are not using javascript (just a simple FORM form in html), YOU MUST validate the data on the server side script. So no matter if you use boot or not for your safety. Don't forget that it's easy to download the HTTP request and send it to the server. Thus, the security of the web application is independent of the client
Thanks for your attention
Guigui
source to share
I know this is a bit old topic, but here is a note from the plugin developer:
Given the wide variety of scripting languages, server side validation depends on how users code. We are developing a plugin so that those who know what they are doing use what they want for the interface and front end. And creating new scripts to fetch information makes it a little harder for other users, like those using aspx, java, codeigniter, etc., the main parts of the plugin will need to be rewritten.
You can read it in full here .
Remember, server validation is a must! ... You cannot ignore it. This is what I learned to read SO and PHP instructions.
source to share