attachment mod and security...

Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here.
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
User avatar
mansuetus
Registered User
Posts: 130
Joined: Sun Dec 07, 2003 8:02 pm
Location: Paris, France
Contact:

attachment mod and security...

Post by mansuetus »

Is this a security failure (well, I think it is) to allow .php attach ?

I KNOW IT IS NOT ALLOWED BY DEFAULT, THAT IS WHY IT IS NOT A SECURITY WARNING, and why I ask...

I explain...

You board accept .php files (to attach)
The bad man sends "flood_da_world.php" and it is stored in the /incoming/ (or anything else) path of phpbb/

and the evilman can follow http://path/to/flood_da_world.php" target="_blank and... flood da world...

---

can php be disallowed in some directories ?
is there other extensions to be careful with ? (.exe ? .vbs ? ...)
Petite publicité pour mon site : on présente des horoscopes qui tuent, on propose des tests,
et si tu cherches bien, tu verras même un phpBB :-)
viens sur spontex.org !

maxintosh
Registered User
Posts: 32
Joined: Thu Oct 14, 2004 9:58 am

Re: attachment mod and security...

Post by maxintosh »

I assume the developers are addressing this issue.

User avatar
olger901
Registered User
Posts: 536
Joined: Tue May 11, 2004 4:57 pm

Re: attachment mod and security...

Post by olger901 »

You can disallow certain extensions from being uploaded
-

DeadEye686
Registered User
Posts: 448
Joined: Mon Jul 21, 2003 7:18 pm
Contact:

Re: attachment mod and security...

Post by DeadEye686 »

mansuetus wrote:can php be disallowed in some directories ?
is there other extensions to be careful with ? (.exe ? .vbs ? ...)
Yes, refer to open_basedir and PHP safe mode. Even with these precautions in place, I would NOT recommend enabling this.

Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: attachment mod and security...

Post by Martin Blank »

Indeed... Such things should be limited to image files, and those document files known to not have issues being loaded in such fashion, like PDFs.
You can never go home again... but I guess you can shop there.

markus_petrux
Registered User
Posts: 376
Joined: Fri Jun 18, 2004 10:58 pm
Location: Girona, Catalunya (Spain)
Contact:

Re: attachment mod and security...

Post by markus_petrux »

Well, you could deny world access to the "uploads" directory using .htaccess rules...

User avatar
mansuetus
Registered User
Posts: 130
Joined: Sun Dec 07, 2003 8:02 pm
Location: Paris, France
Contact:

Re: attachment mod and security...

Post by mansuetus »

markus_petrux wrote:Well, you could deny world access to the "uploads" directory using .htaccess rules...
it is in phpbb2.1, let's breath again, we will be able to store our php files in here !
/store/.htaccess

Code: Select all

<Limit GET POST PUT>
Order Allow,Deny
Deny from All
</Limit>
Petite publicité pour mon site : on présente des horoscopes qui tuent, on propose des tests,
et si tu cherches bien, tu verras même un phpBB :-)
viens sur spontex.org !

Sonic McTails
Registered User
Posts: 5
Joined: Thu Dec 09, 2004 10:58 pm

Re: attachment mod and security...

Post by Sonic McTails »

Why not just have PHPBB change the file name it stores it to something totally bogus and random (like php_824113.pbb), so no expilots could be uploaded since the webserver would have to be setup to phrase pbb files as PHPBB. The attachments could store the orginial file name, and then when downloading one, it automatically changes the name on the fly.
This also makes bandwidth leeching of large files harder since they wouold have to guess the filename.

DeadEye686
Registered User
Posts: 448
Joined: Mon Jul 21, 2003 7:18 pm
Contact:

Re: attachment mod and security...

Post by DeadEye686 »

I completely mis-read the OP. You can also add this to your .htaccess to simply turn off PHP parsing on all PHP files in a certain directory:

<Files *.php>
php_flag engine off
</Files>

Sonic McTails
Registered User
Posts: 5
Joined: Thu Dec 09, 2004 10:58 pm

Re: attachment mod and security...

Post by Sonic McTails »

DeadEye686 wrote:I completely mis-read the OP. You can also add this to your .htaccess to simply turn off PHP parsing on all PHP files in a certain directory:

<Files *.php>
php_flag engine off
</Files>
Actually, my hosting service will start giving 500s, the php_flag field is only allowed if AllowOverrides in the configuration is set to all, and doesn't do any good for those of us not running Apache

Post Reply