Menu
▾
▴
phpwiki-talk
|
From: Sabri L. <sab...@st...> - 2007-03-08 12:46:14
|
Hi all, Few days ago, I recieved a claim from a customer in our company about = not being able to upload a ".pl" file into phpwiki. As you know ".pl" = files and others are not allowed to be uploaded for security reasons. This raised several questions in my team: - What is the risk? - Is the risk due to the usage of attachments by phpWiki? - Could the risk be related to apache and upload directory = configurations ? - If we configure apache to not execute files in the upload directory, = will be then a risk to run those files into the server?=20 Is there any illustration/evidence related to the subject that was = identified or discussed before. What do you advise ? Thanks, Sabri LABBENE. |
|
From: Reini U. <ru...@x-...> - 2007-03-08 17:50:26
|
2007/3/8, Sabri LABBENE <sab...@st...>: > Few days ago, I recieved a claim from a customer in our company about not being able to upload a ".pl" file into phpwiki. As you know ".pl" files and others are not allowed to be uploaded for security reasons. > This raised several questions in my team: > > - What is the risk? > - Is the risk due to the usage of attachments by phpWiki? > - Could the risk be related to apache and upload directory configurations ? > - If we configure apache to not execute files in the upload directory, will be then a risk to run those files into the server? > > Is there any illustration/evidence related to the subject that was identified or discussed before. > > What do you advise ? The risc is only due to apache or webserver or browser configurations so that people might execute unwanted programs. In a secure or trusted environments I would turn off this extensions check. Be aware of INLINE_IMAGES. This list of extensions will be inlined and executed per page view. |
|
From: Sabri L. <sab...@st...> - 2007-03-09 08:51:18
|
Reini Urban wrote: >2007/3/8, Sabri LABBENE <sab...@st...>: >> Few days ago, I recieved a claim from a customer in our >company about not being able to upload a ".pl" file into >phpwiki. As you know ".pl" files and others are not allowed to >be uploaded for security reasons. >> This raised several questions in my team: >> >> - What is the risk? >> - Is the risk due to the usage of attachments by phpWiki? >> - Could the risk be related to apache and upload directory >configurations ? >> - If we configure apache to not execute files in the upload >directory, will be then a risk to run those files into the server? >> >> Is there any illustration/evidence related to the subject >that was identified or discussed before. >> >> What do you advise ? > >The risc is only due to apache or webserver or browser >configurations so that people might execute unwanted programs. >In a secure or trusted environments I would turn off this >extensions check. In our site apache is configured to not execute files into the upload directory of PhpWiki. Could this be sufficient? >Be aware of INLINE_IMAGES. This list of extensions will be >inlined and executed per page view. We commented this line in the config file: ;INLINE_IMAGES = "png|jpg|jpeg|gif" So I think that there is no risk with inlined images. BTW, we also turned off getimagesize() because it make the page loading very slow. Will there be then any risk related to spam prevention ? Thanks, -- Sabri. |
|
From: Manuel V. <man...@gm...> - 2007-03-09 12:36:48
|
2007/3/9, Sabri LABBENE <sab...@st...>: > BTW, we also turned off getimagesize() because it make the page loading very > slow. Will there be then any risk related to spam prevention ? In a intranet there is no risk. -- Manuel |
|
From: Reini U. <ru...@x-...> - 2007-03-10 18:39:11
|
2007/3/9, Manuel Vacelet <man...@gm...>: > 2007/3/9, Sabri LABBENE <sab...@st...>: > > BTW, we also turned off getimagesize() because it make the page loading very > > slow. Will there be then any risk related to spam prevention ? > > In a intranet there is no risk. There's still the cockpit error risc. The risc of unaware users, who just upload .vbs files as one just did yesterday in my companies' super-secure intranet. Thanksfully we had the extension check. After renaming the .vbs to .vbs_ he could upload it, and users could download it without immediate execution. -- Reini Urban http://phpwiki.org/ http://murbreak.at/ http://spacemovie.mur.at/ http://helsinki.at/ |
|
From: Manuel V. <man...@gm...> - 2007-03-12 15:06:33
|
2007/3/10, Reini Urban <ru...@x-...>: > 2007/3/9, Manuel Vacelet <man...@gm...>: > > 2007/3/9, Sabri LABBENE <sab...@st...>: > > > BTW, we also turned off getimagesize() because it make the page loading very > > > slow. Will there be then any risk related to spam prevention ? > > > > In a intranet there is no risk. > > There's still the cockpit error risc. The risc of unaware users, who > just upload .vbs files as one just did yesterday in my companies' > super-secure intranet. Thanksfully we had the extension check. > > After renaming the .vbs to .vbs_ he could upload it, and users could > download it without immediate execution. I'm not that Microsoft Windows aware but this is a client executable not a server one isn't it ? I mean, there are no risks to see this vbs executed on the server (even a windows one) ? -- Manuel |
|
From: Reini U. <ru...@x-...> - 2007-03-12 16:15:23
|
no, never on the server. but certain clients could execute this in the worst case on pageview, and normally when they click on it. by forcing the uploader to rename it, the user must rename it to original to be able to execute it. 2007/3/12, Manuel Vacelet <man...@gm...>: > 2007/3/10, Reini Urban <ru...@x-...>: > > 2007/3/9, Manuel Vacelet <man...@gm...>: > > > 2007/3/9, Sabri LABBENE <sab...@st...>: > > > > BTW, we also turned off getimagesize() because it make the page loading very > > > > slow. Will there be then any risk related to spam prevention ? > > > > > > In a intranet there is no risk. > > > > There's still the cockpit error risc. The risc of unaware users, who > > just upload .vbs files as one just did yesterday in my companies' > > super-secure intranet. Thanksfully we had the extension check. > > > > After renaming the .vbs to .vbs_ he could upload it, and users could > > download it without immediate execution. > > I'm not that Microsoft Windows aware but this is a client executable > not a server one isn't it ? > > I mean, there are no risks to see this vbs executed on the server > (even a windows one) ? > > -- Manuel > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Phpwiki-talk mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpwiki-talk > -- Reini Urban http://phpwiki.org/ http://murbreak.at/ http://spacemovie.mur.at/ http://helsinki.at/ |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X