Menu
▾
▴
phpwebsite-developers
|
From: Matthew M. <ma...@tu...> - 2005-04-25 18:47:38
|
Greetings,
There have been several complaints about Documents having problems with
the recent security measures. As you may (or not) know, phpWebSite
parses all uploaded files for specific phrases. If it sees those
phrases, it won't allow the file to be written to the system.
Normally, this works pretty well. However, some of the phrases catch
words in the document. "dl(" is a frequent sticky wicket.
There are two other backup measures added to the parser. First, we
removed the ability for anonymous users to upload documents in
announcements and calendar. Second, phpWebSite checks the file extension
and prohibits executable files from being written.
My question: is this sufficient? I have turned the security parser to
FALSE (i.e. off) in CVS to try and prevent these problems. I would like
some feedback as to whether this will make phpWebSite insecure.
Thanks,
Matt
--
Matthew McNaney
Electronic Student Services
Appalachian State University
http://phpwebsite.appstate.edu
|
|
From: Mike N. <mh...@us...> - 2005-04-26 17:08:56
|
On Mon, 2005-04-25 at 11:41, Matthew McNaney wrote: > There are two other backup measures added to the parser. First, we > removed the ability for anonymous users to upload documents in > announcements and calendar. Second, phpWebSite checks the file extension > and prohibits executable files from being written. Matt, I'm no security expert, but I think uploads should be disabled by default. Then use fine grained permissions to allow uploads for specific users. -- Mike Noyes <mhnoyes at users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, phpwebsite, phpwebsite-comm, sitedocs |
|
From: Shaun M. <sh...@ae...> - 2005-04-26 18:10:30
|
On 26 Apr 2005, at 18:09, Mike Noyes wrote: > On Mon, 2005-04-25 at 11:41, Matthew McNaney wrote: >> There are two other backup measures added to the parser. First, we >> removed the ability for anonymous users to upload documents in >> announcements and calendar. Second, phpWebSite checks the file >> extension >> and prohibits executable files from being written. > > Matt, > I'm no security expert, but I think uploads should be disabled by > default. Then use fine grained permissions to allow uploads for > specific > users. If phpWebSite disallowed all uploads then it'd take a lot of the interactivity out of a site, especially a community site. I really hope we don't have to be that draconian. If anything, I was hoping we can find some way of opening up phpWebSite to MORE uploads. eg. allowing user submitted photos in the photoalbum, creating user specific blogs where they can upload their own images or allowing users to attach documents to calendar events or wikis. I was thinking a three layer approach... Guests - no uploads allowed. Registered users - allow uploads but anything that fails the intensive string check we have now goes to an approval queue and the user's upload privs are revoked until an admin/deity can check what is going on. We'd have to change the filename of the uploaded file or stick it out of the web root so that even the uploaded file couldn't be found out. Admin - no checks. no queue. What would be useful though is better logging of errors so an admin can check if anyone is trying to upload malicious code with IP/username logging. It's also helpful as some users are clueless and don't remember the error message given when they hit a problem or indeed what they were doing. Of course, it'd need everyone to use the same error handler but that's something we're slack on anyway. I'd also like to see the ability to block some domains from being used for registration so that a malicious user couldn't use a temporary hotmail account or dodgeit.com to register, launch an attack and then not come back. Shaun aegis design - http://www.aegisdesign.co.uk |
|
From: <wen...@to...> - 2005-04-26 19:25:10
|
> On 26 Apr 2005, at 18:09, Mike Noyes wrote: > >> On Mon, 2005-04-25 at 11:41, Matthew McNaney wrote: >>> There are two other backup measures added to the parser. First, we >>> removed the ability for anonymous users to upload documents in >>> announcements and calendar. Second, phpWebSite checks the file >>> extension >>> and prohibits executable files from being written. >> >> Matt, >> I'm no security expert, but I think uploads should be disabled by >> default. Then use fine grained permissions to allow uploads for >> specific >> users. > > If phpWebSite disallowed all uploads then it'd take a lot of the > interactivity out of a site, especially a community site. > > I really hope we don't have to be that draconian. If anything, I was > hoping we can find some way of opening up phpWebSite to MORE uploads. > eg. allowing user submitted photos in the photoalbum, creating user > specific blogs where they can upload their own images or allowing users > to attach documents to calendar events or wikis. > > I was thinking a three layer approach... > > Guests - no uploads allowed. > > Registered users - allow uploads but anything that fails the intensive > string check we have now goes to an approval queue and the user's > upload privs are revoked until an admin/deity can check what is going > on. We'd have to change the filename of the uploaded file or stick it > out of the web root so that even the uploaded file couldn't be found > out. > > Admin - no checks. no queue. > > > What would be useful though is better logging of errors so an admin can > check if anyone is trying to upload malicious code with IP/username > logging. It's also helpful as some users are clueless and don't > remember the error message given when they hit a problem or indeed what > they were doing. Of course, it'd need everyone to use the same error > handler but that's something we're slack on anyway. > > I'd also like to see the ability to block some domains from being used > for registration so that a malicious user couldn't use a temporary > hotmail account or dodgeit.com to register, launch an attack and then > not come back. > > > Shaun > aegis design - http://www.aegisdesign.co.uk I don't have a problem with all files being parsed. The issue is that it needs alot more testing. This was something that was created in a couple hours to address a real security issue that could have lead to site defacement at the very least. I think that all that needs to happen is that when people have problems with files that they please attach the files to a bug report so they can be tested against and the check method refined until it does the job without blocking valid uploads. It shouldn'= t be an all or nothing approach. We do need to check for embedded scripts i= n graphics whether anybody likes it or not, or we will be plagued with various security reports about it in the future. Wendall |
|
From: Shaun M. <sh...@ae...> - 2005-04-26 19:36:47
|
On 26 Apr 2005, at 20:24, wen...@to... wrote: > > I think that all that needs to happen is > that when people have problems with files that they please attach the > files to a bug report so they can be tested against and the check > method > refined until it does the job without blocking valid uploads. This was partly why I was advocating logging and 'quarantining' suspect files in the approval queue after a decent error message. We get more examples of suspect files, and users don't just go away thinking the software just doesn't work. A number of people lately have been trying out phpWebSite and finding they can't upload a PDF or an image. Instead of telling me it doesn't work in specific cases, they just go off and try something else. Shaun aegis design - http://www.aegisdesign.co.uk |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X