phpwiki-talk

[Phpwiki-talk] Status of the UpLoad.php plugin?

[Robert D. <rob...@ya...>]

Hello,

I set up a wiki for the Maxima project. Works great!
I just need to drum up more interest. 8^)

I'm considering enabling file uploads for general users.
I see that the UpLoad.php plugin script is enabled for the
administrator only by default. Is the script suitable for
general use (by disabling the administrator requirement),
or is there something fundamentally not OK about it?

Any comments you might have about UpLoad.php or file uploading
in general are very welcome.

regards,
Robert Dodier

__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you’re looking for faster
http://search.yahoo.com

RE: [Phpwiki-talk] Status of the UpLoad.php plugin?

[electron <ele...@mg...>]

Since the upload plugin doesn't currently do any bounds checking, a
malicious user can upload a hackme.php and do malicious things. I can =
come
up with a fun list if you really want.

Hence why the plugin is currently admin only :/

-Jtp

I've stopped 7,458 spam messages. You can too!
One month FREE spam protection at http://www.cloudmark.com/spamnetsig/}
-----Original Message-----
From: php...@li...
[mailto:php...@li...] On Behalf Of Robert =
Dodier
Sent: Sunday, March 07, 2004 1:24 PM
To: php...@li...
Subject: [Phpwiki-talk] Status of the UpLoad.php plugin?

Hello,

I set up a wiki for the Maxima project. Works great!
I just need to drum up more interest. 8^)

I'm considering enabling file uploads for general users.
I see that the UpLoad.php plugin script is enabled for the
administrator only by default. Is the script suitable for
general use (by disabling the administrator requirement),
or is there something fundamentally not OK about it?

Any comments you might have about UpLoad.php or file uploading
in general are very welcome.

regards,
Robert Dodier

__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you're looking for faster
http://search.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=3D1470&alloc_id=3D3638&op=3Dcli=
ck
_______________________________________________
Phpwiki-talk mailing list
Php...@li...
https://lists.sourceforge.net/lists/listinfo/phpwiki-talk

Re: [Phpwiki-talk] Status of the UpLoad.php plugin?

[Whit B. <wh...@tr...>]

On Sun, Mar 07, 2004 at 01:45:24PM -0600, electron wrote:
> Since the upload plugin doesn't currently do any bounds checking, a
> malicious user can upload a hackme.php and do malicious things. I can come
> up with a fun list if you really want.

v 1.6 2004/02/27 (from the nightly a few days back) checks for disallowed
extensions including php. That's not enough to be really safe (for instance,
.php3 would work, and many servers recognize that). But it would be fairly
simply to change it instead to run a regex of _allowed_ extensions (i.e.,
jpg, jpeg, gif, zip ... whatever fits your purpose) and block everything
else. Then all you have to do is be sure there's no way a file with any of
your allowed extensions has any way of being executed, or included in
something that would render its contents so. YMMV. In other contexts I've
allowed signed-in users to upload via PHP for years, and locking it down to
the specific file types that make sense in the context and (as far as I
know) there have been no problems.

Whit

RE: [Phpwiki-talk] Status of the UpLoad.php plugin?

[electron <ele...@mg...>]

You can use the GD library to check if a jpg is really a jpg.=20

The problem with the uploads plugin is usually that file is accessable =
right
away in uploads.

Say: http://www.wiki.org/uploads/hackme.php etc.

Paranoia solution is solved by sandboxing the new upload, running tests =
to
see what it is, and if it's strange put it aside for an admin to look =
at.

-Jtp


I've stopped 7,458 spam messages. You can too!
One month FREE spam protection at http://www.cloudmark.com/spamnetsig/}

-----Original Message-----
From: php...@li...
[mailto:php...@li...] On Behalf Of Whit =
Blauvelt
Sent: Sunday, March 07, 2004 2:04 PM
To: php...@li...
Subject: Re: [Phpwiki-talk] Status of the UpLoad.php plugin?

On Sun, Mar 07, 2004 at 01:45:24PM -0600, electron wrote:
> Since the upload plugin doesn't currently do any bounds checking, a
> malicious user can upload a hackme.php and do malicious things. I can =
come
> up with a fun list if you really want.

v 1.6 2004/02/27 (from the nightly a few days back) checks for =
disallowed
extensions including php. That's not enough to be really safe (for =
instance,
.php3 would work, and many servers recognize that). But it would be =
fairly
simply to change it instead to run a regex of _allowed_ extensions =
(i.e.,
jpg, jpeg, gif, zip ... whatever fits your purpose) and block everything
else. Then all you have to do is be sure there's no way a file with any =
of
your allowed extensions has any way of being executed, or included in
something that would render its contents so. YMMV. In other contexts =
I've
allowed signed-in users to upload via PHP for years, and locking it down =
to
the specific file types that make sense in the context and (as far as I
know) there have been no problems.

Whit


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=3D1470&alloc_id=3D3638&op=3Dcli=
ck
_______________________________________________
Phpwiki-talk mailing list
Php...@li...
https://lists.sourceforge.net/lists/listinfo/phpwiki-talk