Is this a security failure (well, I think it is) to allow .php attach ?
I KNOW IT IS NOT ALLOWED BY DEFAULT, THAT IS WHY IT IS NOT A SECURITY WARNING, and why I ask...
I explain...
You board accept .php files (to attach)
The bad man sends "flood_da_world.php" and it is stored in the /incoming/ (or anything else) path of phpbb/
and the evilman can follow http://path/to/flood_da_world.php" target="_blank and... flood da world...
---
can php be disallowed in some directories ?
is there other extensions to be careful with ? (.exe ? .vbs ? ...)
attachment mod and security...
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
- mansuetus
- Registered User
- Posts: 130
- Joined: Sun Dec 07, 2003 8:02 pm
- Location: Paris, France
- Contact:
attachment mod and security...
Petite publicité pour mon site : on présente des horoscopes qui tuent, on propose des tests,
et si tu cherches bien, tu verras même un phpBB
viens sur spontex.org !
et si tu cherches bien, tu verras même un phpBB
viens sur spontex.org !
Re: attachment mod and security...
I assume the developers are addressing this issue.
-
- Registered User
- Posts: 448
- Joined: Mon Jul 21, 2003 7:18 pm
- Contact:
Re: attachment mod and security...
Yes, refer to open_basedir and PHP safe mode. Even with these precautions in place, I would NOT recommend enabling this.mansuetus wrote:can php be disallowed in some directories ?
is there other extensions to be careful with ? (.exe ? .vbs ? ...)
-
- Registered User
- Posts: 687
- Joined: Sun May 11, 2003 11:17 am
Re: attachment mod and security...
Indeed... Such things should be limited to image files, and those document files known to not have issues being loaded in such fashion, like PDFs.
You can never go home again... but I guess you can shop there.
-
- Registered User
- Posts: 376
- Joined: Fri Jun 18, 2004 10:58 pm
- Location: Girona, Catalunya (Spain)
- Contact:
Re: attachment mod and security...
Well, you could deny world access to the "uploads" directory using .htaccess rules...
- mansuetus
- Registered User
- Posts: 130
- Joined: Sun Dec 07, 2003 8:02 pm
- Location: Paris, France
- Contact:
Re: attachment mod and security...
it is in phpbb2.1, let's breath again, we will be able to store our php files in here !markus_petrux wrote:Well, you could deny world access to the "uploads" directory using .htaccess rules...
/store/.htaccess
Code: Select all
<Limit GET POST PUT>
Order Allow,Deny
Deny from All
</Limit>
Petite publicité pour mon site : on présente des horoscopes qui tuent, on propose des tests,
et si tu cherches bien, tu verras même un phpBB
viens sur spontex.org !
et si tu cherches bien, tu verras même un phpBB
viens sur spontex.org !
-
- Registered User
- Posts: 5
- Joined: Thu Dec 09, 2004 10:58 pm
Re: attachment mod and security...
Why not just have PHPBB change the file name it stores it to something totally bogus and random (like php_824113.pbb), so no expilots could be uploaded since the webserver would have to be setup to phrase pbb files as PHPBB. The attachments could store the orginial file name, and then when downloading one, it automatically changes the name on the fly.
This also makes bandwidth leeching of large files harder since they wouold have to guess the filename.
This also makes bandwidth leeching of large files harder since they wouold have to guess the filename.
-
- Registered User
- Posts: 448
- Joined: Mon Jul 21, 2003 7:18 pm
- Contact:
Re: attachment mod and security...
I completely mis-read the OP. You can also add this to your .htaccess to simply turn off PHP parsing on all PHP files in a certain directory:
<Files *.php>
php_flag engine off
</Files>
<Files *.php>
php_flag engine off
</Files>
-
- Registered User
- Posts: 5
- Joined: Thu Dec 09, 2004 10:58 pm
Re: attachment mod and security...
Actually, my hosting service will start giving 500s, the php_flag field is only allowed if AllowOverrides in the configuration is set to all, and doesn't do any good for those of us not running ApacheDeadEye686 wrote:I completely mis-read the OP. You can also add this to your .htaccess to simply turn off PHP parsing on all PHP files in a certain directory:
<Files *.php>
php_flag engine off
</Files>