Menu

upload security risk

2007-04-07
2012-10-11
  • Harold Hallikainen

    I'm running phpwiki 1.3.11p1 Sep, 18 2005. This morning an IP address from Russia uploaded a php script and started wandering around my server, apparently downloading stuff. I've disabled php uploads for now. Has anyone else had this problem? Do later versions fix it?

    THANKS!

    Harold

     
    • Harold Hallikainen

      Thanks for the comments! The pregmatch fix suggested above still allows the planting of php3 files, which Apache interprets as php. The AddHandler fix also doesn't seem to do the job. More ideas? It SEEMS like we should prevent the upload of anything but specified extensions (for my case, pdf), AND get apache to send whatever is in this directory as is, with no interpretation.

      THANKS!

      Harold

       
    • Reini Urban

      Reini Urban - 2007-04-07

      This can only happen if the file extension of the uploaded file
      has an action handler of your servers setting.
      php or inc for php files, pl for perl for example.

      We disable those extensions and therefore disable those
      action handlers for user data.
      see your plugin/UpLoad.php code for the list of disabled extensions.

       
    • Harold Hallikainen

      Thanks! They uploaded a file ending in .php.3 which is not on the list, but apparently my Apache server treats as php. I'll dig through the Apache config. Other ideas?

      THANKS!

      Harold

       
      • Reini Urban

        Reini Urban - 2007-04-08

        Oha! .php.{\d}

        I will add a check for .php.* also. Big risc.

        Please change your UpLoad check at line 135
        from:
        if (preg_match("/(." . join("|.", $this->disallowed_extensions) . ")\$/",
        to:
        if (preg_match("/(." . join("|.", $this->disallowed_extensions) . ")(.|\$)/",

         
    • Harold Hallikainen

      For now, I've disabled uploads in php.ini . I'm also having a problem with the phpwiki log. I get an error saying "Please ensure that the file '/var/log/WikiAccess.log' is writable, or redefine ACCESS_LOG in config/config.ini." The log exists, is owned by apache, and is readable and writable by the owner. What should permissions and the ownership of the log file be?

      THANKS!

      Harold

       
    • Harold Hallikainen

      OK, dumb mistake on the log file... Fixed that! I see in UpLoad.php that there's a "TODO" section on permitted file types. I'd like to just permit pdfs. Also, ideally, I'd like a "moderator approval" before any changes, including uploads, become visible.

      Ideas?

      Thanks!

      Harold

       
    • Harold Hallikainen

      Thanks! That seems to fix it. Any idea on how to make Apache never try to interpret stuff in that directory

      Harold

       
    • Harold Hallikainen

      As a follow-up, do you know how deep into the directory structure they could have gotten with this php script? The script ended up in /home/user/public_html/WikiName/uploads . Could they get below public_html to see other user files?

      Thanks!

       
      • Reini Urban

        Reini Urban - 2007-04-09

        One could have uploaded only into one dir, the upload dir, no subidrs above or below.
        But this doesn't matter since an uploaded script will be executed and this script has access to everything which is open to the apache user.
        rm -rf / i.e. will destroy some files.

         
    • Harold Hallikainen

      Someone on another list also suggested adding this to the .htaccess file in the upload directory:

      AddHandler send-as-is *

      This SHOULD keep Apache from ever trying to interpret anything in this directory.

      Also, I REALLY APPRECIATE the quick fix to this problem!

      Harold

       
      • Reini Urban

        Reini Urban - 2007-04-09

        I dont like this fix. This will disable inline images.

        Fixing apache for this case cannot be done per .htaccess,
        only per httpd.conf.

         

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.