Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

(ichimunki) Re: Security issues when allowing file upload via CGI

by ichimunki (Priest)
on Dec 06, 2001 at 20:33 UTC ( [id://129968]=note: print w/replies, xml ) Need Help??


in reply to Security issues when allowing file upload via CGI

I don't see why they need to be chmod to 555, I think 644 is probably more appropriate for data files. This allows the process to write them and everyone else to read them. 555 allows everyone to execute them, which means all I have to do is upload a script to your server and the fun begins.

Beyond that, no... you can't really prevent someone from uploading an .exe file to your system, but without it saying .exe at the end I suspect MS Windows isn't going to do anything meaningful with it-- and without the correct content-type header many other browsers aren't going to treat it correctly either. And if you upload an .exe as a .jpg, it's likely to get served back as a JPEG which won't display since the exe data is not in the correct JPEG format. If a hole existed whereby my browser was fed an unexpected file and then ran that file willy-nilly, it would have been exploited more than Outlook by now.

Replies are listed 'Best First'.
Re: (ichimunki) Re: Security issues when allowing file upload via CGI
by thraxil (Prior) on Dec 06, 2001 at 20:48 UTC

    never underestimate the stupidity of IE and outlook.

    if you take an html file, name it foo.jpg and send it with a mime-type of image/jpeg, IE 5 on the mac and IE 4 on windows will happily parse and render it as html. (probably some versions of outlook exhibit this broken behavior too).

    this technique was once used in a hotmail exploit. email someone a "jpg" and it could grab their password cookie and submit it to another site.

    if securityfocus hadn't changed the structure of their bugtraq archives and broken my bookmarks, i could give you a link...

    i don't think it's quite dumb enough to run an .exe the same way but there's still a lot of mischief that can be done with html+javascript/vbscript

    anders pearson

      Roger that!!

      Had it not been for Micro$oft's feature-laden behemoths, (and their commensurate security patches, and security-patch patches, and so on, new ones of which seem to be required almost daily), nevermind OS-related issues, there might never have erupted as pervasive an anti-virus cottage industry as we have (which has since become a full-fledged industry).

      I think you should quarantine uploaded files and run the shell command,

      file {upload filename}

      on them to confirm they are what they purport to be.

      use File::Basename; sub validate_image _file { my $fn = shift; my %file_types = ( jpg => 'JPEG file', jpeg => 'JPEG file', gif => 'GIF file, v8[79]' ); my $ext = lc (fileparse $fn )[-1]; # get suffix return 0 unless exists $file_types{$ext}; my $file_cmd_output = `file $fn`; chomp $file_cmd_output; return 0 unless $file_cmd_output =~ /^$file_types{$ext}$/; # OK, we probably have what we think we have # go ahead and make it accessible, etc. accept_file( $fn ); # ... or whatever return 1; }

      Update: The expectation here is that before this subroutine is called, a file has already been uploaded (ostensibly one whose name ends in .jpg, .jpeg, or .gif) and "quarantined" -- that is, stored somewhere "safe", out of harm's way -- and that the parameter, $fn, to the sub is the full path to this file.

      (Thanks, nufsaid, for bringing up the issue of the tainted-ness of $fn)

      dmm

      Just call me the Anti-Gates ...
        I like the idea, but don't you have to be careful of this line?

        my $file_cmd_output = `file $fn`;

        $fn is tainted and doesn't this give them the chance to sneak a command in via $fn? Need to make sure $fn is clean.

        Joe.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://129968]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having a coffee break in the Monastery: (4)
As of 2024-03-28 08:10 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found