On Fri, 10 Nov 2006 14:06:43 +1300
Peter Butler <peter.butler@141.com> wrote:
ideally, remove execute/write permissions to the file, so it's just
444. ensure the file is owned by nobody.
If you are running Linux a good option is to put user-uploaded files
into a partition mounted with the "noexec" option. This provides some
protection against someone uploading a malicious executable (although
I don't think it will protect against a malicious PHP script, given
that PHP scripts don't need execute permission to be run by the web
server).
this is only mod_php/mod_perl. for cgi exec i believe u+x, g+x, o+x
(111+) might be required.
using http to upload is probably the most reliable method of
uploading data, however, it's quite hard to upload large directories
unless the user packs everything into a tar/zip and the upload
processor is zip/tar aware.
Be aware that processing the file in any way (gzip/zip, resizing
images, etc) exposes you to vulnerabilities that may exist in the
library or program that you use to do the processing. For example
there were recently posts to the bugtraq mailing list about
vulnerabilities in gzip.
yes, other things too like adding it to a db with addslashes, pulling it
out and then putting it back into the db, but forgetting to run
addslashes again could pose a problem.
--
Regards, Ed :: http://www.s5h.net
:%s/\t/ /g :: proud unix system person
:%s/Open Source/Free Software/g
-------------------------------------------------------------------------
Sponsored by: Watchfire
It's been reported that 75% of websites are vulnerable to attack. That's
because hackers know to exploit weaknesses in web applications.
Traditional approaches to securing these assets no longer apply.
Download the "Addressing Challenges in Application Security" whitepaper
today, and see for yourself.
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008YTU
--------------------------------------------------------------------------
