Menu
▾
▴
Re: [Phpwebsite-developers] Security Question
|
From: <wen...@to...> - 2005-04-26 19:25:10
|
> On 26 Apr 2005, at 18:09, Mike Noyes wrote: > >> On Mon, 2005-04-25 at 11:41, Matthew McNaney wrote: >>> There are two other backup measures added to the parser. First, we >>> removed the ability for anonymous users to upload documents in >>> announcements and calendar. Second, phpWebSite checks the file >>> extension >>> and prohibits executable files from being written. >> >> Matt, >> I'm no security expert, but I think uploads should be disabled by >> default. Then use fine grained permissions to allow uploads for >> specific >> users. > > If phpWebSite disallowed all uploads then it'd take a lot of the > interactivity out of a site, especially a community site. > > I really hope we don't have to be that draconian. If anything, I was > hoping we can find some way of opening up phpWebSite to MORE uploads. > eg. allowing user submitted photos in the photoalbum, creating user > specific blogs where they can upload their own images or allowing users > to attach documents to calendar events or wikis. > > I was thinking a three layer approach... > > Guests - no uploads allowed. > > Registered users - allow uploads but anything that fails the intensive > string check we have now goes to an approval queue and the user's > upload privs are revoked until an admin/deity can check what is going > on. We'd have to change the filename of the uploaded file or stick it > out of the web root so that even the uploaded file couldn't be found > out. > > Admin - no checks. no queue. > > > What would be useful though is better logging of errors so an admin can > check if anyone is trying to upload malicious code with IP/username > logging. It's also helpful as some users are clueless and don't > remember the error message given when they hit a problem or indeed what > they were doing. Of course, it'd need everyone to use the same error > handler but that's something we're slack on anyway. > > I'd also like to see the ability to block some domains from being used > for registration so that a malicious user couldn't use a temporary > hotmail account or dodgeit.com to register, launch an attack and then > not come back. > > > Shaun > aegis design - http://www.aegisdesign.co.uk I don't have a problem with all files being parsed. The issue is that it needs alot more testing. This was something that was created in a couple hours to address a real security issue that could have lead to site defacement at the very least. I think that all that needs to happen is that when people have problems with files that they please attach the files to a bug report so they can be tested against and the check method refined until it does the job without blocking valid uploads. It shouldn'= t be an all or nothing approach. We do need to check for embedded scripts i= n graphics whether anybody likes it or not, or we will be plagued with various security reports about it in the future. Wendall |
