Re: [Phpwebsite-developers] Security Question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 26 Apr 2005, at 18:09, Mike Noyes wrote:

> On Mon, 2005-04-25 at 11:41, Matthew McNaney wrote:
>> There are two other backup measures added to the parser. First, we
>> removed the ability for anonymous users to upload documents in
>> announcements and calendar. Second, phpWebSite checks the file 
>> extension
>> and prohibits executable files from being written.
>
> Matt,
> I'm no security expert, but I think uploads should be disabled by
> default. Then use fine grained permissions to allow uploads for 
> specific
> users.

If phpWebSite disallowed all uploads then it'd take a lot of the 
interactivity out of a site, especially a community site.

I really hope we don't have to be that draconian. If anything, I was 
hoping we can find some way of opening up phpWebSite to MORE uploads. 
eg. allowing user submitted photos in the photoalbum, creating user 
specific blogs where they can upload their own images or allowing users 
to attach documents to calendar events or wikis.

I was thinking a three layer approach...

Guests - no uploads allowed.

Registered users - allow uploads but anything that fails the intensive 
string check we have now goes to an approval queue and the user's 
upload privs are revoked until an admin/deity can check what is going 
on. We'd have to change the filename of the uploaded file or stick it 
out of the web root so that even the uploaded file couldn't be found 
out.

Admin - no checks. no queue.

What would be useful though is better logging of errors so an admin can 
check if anyone is trying to upload malicious code with IP/username 
logging. It's also helpful as some users are clueless and don't 
remember the error message given when they hit a problem or indeed what 
they were doing. Of course, it'd need everyone to use the same error 
handler but that's something we're slack on anyway.

I'd also like to see the ability to block some domains from being used 
for registration so that a malicious user couldn't use a temporary 
hotmail account or dodgeit.com to register, launch an attack and then 
not come back.

Shaun
aegis design - http://www.aegisdesign.co.uk