Attachments are unsafe ?

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Nullius
Registered User
Posts: 80
Joined: Mon May 24, 2004 4:16 pm
Location: Belgium
Contact:

Attachments are unsafe ?

Post by Nullius »

While trying the new features of phpBB 2.1, I noticed the new feature allowing users to post attachments.
I was wondering, isn't that unsafe ?

You allow every user to upload every file.
I know there are restrictions like extensions and permissions etc ... but if you just rename your file, you can easily upload every file.

I mean, if that file is a script of some kind, isn't there any possibility that uploads are unsafe ?
If the user can somehow execute a script on the server giving him root-powers ... I don't wanna be responsible for the consequences.

Am I totally paranoid or is it actually a bit unsafe ?

Thanks and come again ;)
Greetzzz,
Nullius
APTX
Registered User
Posts: 680
Joined: Thu Apr 24, 2003 12:07 pm

Re: Attachments are unsafe ?

Post by APTX »

If you open all attachements in your mail it won't be any different to you.
Don't give me my freedom out of pity!
delos
Registered User
Posts: 44
Joined: Mon Apr 26, 2004 5:12 pm

Re: Attachments are unsafe ?

Post by delos »

APTX wrote:If you open all attachements in your mail it won't be any different to you.
now that would be very dangerous.

i don't think the board attachments would be hazardous. i am sure there are different protection systems built in. file type can be obtained even if the extension is wrong and afaik you cant execute a php script unless it is in a .php file.
Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: Attachments are unsafe ?

Post by Martin Blank »

Nullius wrote:While trying the new features of phpBB 2.1, I noticed the new feature allowing users to post attachments.
I was wondering, isn't that unsafe ?
Not really. First of all, you can always restrict who can upload files. I know that on my forum, there will be a very detailed discussion on who will get such privileges.

Second, uploading the files does not make them executable. They have to be provided the appropriate permissions on Linux, and on Windows need to have an executable file extension. Further, even on Linux code relies on extensions to determine how it is to be executed. For example, when I run the following code from /files/test.jpg, permissions 644:

Code: Select all

<?php

include "../config.php";
echo $dbuser;

?>
Firefox produces an error, and IE shows the code text, because Apache is trying to send image information and the browser gets text. Notice, however, that no results are displayed.
You can never go home again... but I guess you can shop there.
-jm-
Registered User
Posts: 150
Joined: Tue Sep 28, 2004 7:36 pm
Location: Løst in the net ;)
Contact:

Re: Attachments are unsafe ?

Post by -jm- »

Simple ... if you notice that a user is abusing of his privilege ... no more attachment in forum for him :) .
Or (more safe) ... giving attach privilege only to trusted folks (and revoke it to abusers).

If a user doesn't have attach privilege, he can't see attach panel

They cannot execute scripts attaching a php (for example) without its proper extension ;) . If they attach a php script with double extension (for example ... howdarkexploit.php.txt) the script is only a text file, then not executable directly from your server.

Hope it could help

[ot] nice this .. :)
area51 forum wrote:At least one new post has been made to this topic. You may wish to review your post inlight of this.
[/ot]
Nullius
Registered User
Posts: 80
Joined: Mon May 24, 2004 4:16 pm
Location: Belgium
Contact:

Re: Attachments are unsafe ?

Post by Nullius »

Yeah allright, but if I rename my .exe (for windows servers) to .jpg and that file contains a virus, then the whole server will be infected ?
I know it's possible to rename them because I did it on my local server with an html-file.
I know an html-file can't do much wrong, but imagine if someone uploads a file with a virus or something ?

Or is it really safe ?
Greetzzz,
Nullius
-jm-
Registered User
Posts: 150
Joined: Tue Sep 28, 2004 7:36 pm
Location: Løst in the net ;)
Contact:

Re: Attachments are unsafe ?

Post by -jm- »

ok ... Let's suppose that a bad guy want upload a virus on your windows server and you have no antivirus running on your server.

he uploads the file as winrar.exe.jpg and the virus is in your home :twisted: .
there should be troubles for your server if he can make the virus running on your server.
from a theoretical point of view this should never happen 'cause uploaded files are only saved on a folder in your server (with a different extension). they're not running.

(on the other hand there could be surely troubles for your users if they download such files without an updated antivirus)

[hope it could help ... plz correct me if i'm wrong :mrgreen: ]
User avatar
thedrumchannell
Registered User
Posts: 26
Joined: Wed Dec 15, 2004 5:34 am
Location: Phoenix, Arizona
Contact:

Re: Attachments are unsafe ?

Post by thedrumchannell »

Hey,

and even if you still feel very nervous about this feature in 2.2 remember that you will be able to simply disable it. Most likely there will be no way that an .exe will be able to run from the sever anyway because the only time that the user gets the file is by VIEW only in the topics of the forum.

Another thing is that you may choose which extentions to allow/ban ect. I really don't think that you should fear this. Hope this helps.
"Study to shew thyself approved unto God, a workman that needeth not to be ashamed, rightly dividing the word of truth." 2 Timothy 2:15

Thedrumchannell
Prophecy Talk - World News & Bible Prophecy Information
User avatar
olger901
Registered User
Posts: 536
Joined: Tue May 11, 2004 4:57 pm

Re: Attachments are unsafe ?

Post by olger901 »

If someone uploads a .exe.jpg how the hell is he supposed to execute it? It is unable to

For the rest you should just disable all dangerous extensions like .exe, .bat, .com, .scr, .php, .pl, .cgi, .htm, .html, .js, .vbs etc...
-
Nullius
Registered User
Posts: 80
Joined: Mon May 24, 2004 4:16 pm
Location: Belgium
Contact:

Re: Attachments are unsafe ?

Post by Nullius »

Yeah thanks for the help everyone.

Indeed, I figured out after some testing that it's quite safe for executable files etc.
BUT: I was able to 'run' a hmtl-file on my server, just by renaming the file to test.jpg (so the board thought it was an image).
Then I was able to open the HTML-file without any problem.

I know some HTML can't harm anyone, but I don't know the real powers of Javascript.
Is it possible with javascript to delete files and stuff ?
I only use javascript for small things, never gave it a thought if it could delete or change files.

If Javascript can't do anything wrong, then the feature is quite safe I think ...

I do have an extra security check, but I'll post that when the beta is released ;)

Thanks for the replies so far :)
Greetzzz,
Nullius
Post Reply