Re: [Phpwiki-talk] Uploading files into Phpwiki

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Reini Urban wrote:
>2007/3/8, Sabri LABBENE <sab...@st...>:
>> Few days ago, I recieved a claim from a customer in our 
>company about not being able to upload a ".pl" file into 
>phpwiki. As you know ".pl" files and others are not allowed to 
>be uploaded for security reasons.
>> This raised several questions in my team:
>>
>> - What is the risk?
>> - Is the risk due to the usage of attachments by phpWiki?
>> - Could the risk be related to apache and upload directory 
>configurations ?
>> - If we configure apache to not execute files in the upload 
>directory, will be then a risk to run those files into the server?
>>
>> Is there any illustration/evidence related to the subject 
>that was identified or discussed before.
>>
>> What do you advise ?
>
>The risc is only due to apache or webserver or browser 
>configurations so that people might execute unwanted programs. 
>In a secure or trusted environments I would turn off this 
>extensions check.

In our site apache is configured to not execute files into the upload
directory of PhpWiki. Could this be sufficient?

>Be aware of INLINE_IMAGES. This list of extensions will be 
>inlined and executed per page view.

We commented this line in the config file:
;INLINE_IMAGES = "png|jpg|jpeg|gif"

So I think that there is no risk with inlined images.
BTW, we also turned off getimagesize() because it make the page loading very
slow. Will there be then any risk related to spam prevention ?

Thanks,
-- Sabri.