While trying the new features of phpBB 2.1, I noticed the new feature allowing users to post attachments.
I was wondering, isn't that unsafe ?
You allow every user to upload every file.
I know there are restrictions like extensions and permissions etc ... but if you just rename your file, you can easily upload every file.
I mean, if that file is a script of some kind, isn't there any possibility that uploads are unsafe ?
If the user can somehow execute a script on the server giving him root-powers ... I don't wanna be responsible for the consequences.
Am I totally paranoid or is it actually a bit unsafe ?
Thanks and come again
Attachments are unsafe ?
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Attachments are unsafe ?
Greetzzz,
Nullius
Nullius
Re: Attachments are unsafe ?
If you open all attachements in your mail it won't be any different to you.
Don't give me my freedom out of pity!
Re: Attachments are unsafe ?
now that would be very dangerous.APTX wrote:If you open all attachements in your mail it won't be any different to you.
i don't think the board attachments would be hazardous. i am sure there are different protection systems built in. file type can be obtained even if the extension is wrong and afaik you cant execute a php script unless it is in a .php file.
-
- Registered User
- Posts: 687
- Joined: Sun May 11, 2003 11:17 am
Re: Attachments are unsafe ?
Not really. First of all, you can always restrict who can upload files. I know that on my forum, there will be a very detailed discussion on who will get such privileges.Nullius wrote:While trying the new features of phpBB 2.1, I noticed the new feature allowing users to post attachments.
I was wondering, isn't that unsafe ?
Second, uploading the files does not make them executable. They have to be provided the appropriate permissions on Linux, and on Windows need to have an executable file extension. Further, even on Linux code relies on extensions to determine how it is to be executed. For example, when I run the following code from /files/test.jpg, permissions 644:
Code: Select all
<?php
include "../config.php";
echo $dbuser;
?>
You can never go home again... but I guess you can shop there.
-
- Registered User
- Posts: 150
- Joined: Tue Sep 28, 2004 7:36 pm
- Location: Løst in the net ;)
- Contact:
Re: Attachments are unsafe ?
Simple ... if you notice that a user is abusing of his privilege ... no more attachment in forum for him .
Or (more safe) ... giving attach privilege only to trusted folks (and revoke it to abusers).
If a user doesn't have attach privilege, he can't see attach panel
They cannot execute scripts attaching a php (for example) without its proper extension . If they attach a php script with double extension (for example ... howdarkexploit.php.txt) the script is only a text file, then not executable directly from your server.
Hope it could help
[ot] nice this ..
Or (more safe) ... giving attach privilege only to trusted folks (and revoke it to abusers).
If a user doesn't have attach privilege, he can't see attach panel
They cannot execute scripts attaching a php (for example) without its proper extension . If they attach a php script with double extension (for example ... howdarkexploit.php.txt) the script is only a text file, then not executable directly from your server.
Hope it could help
[ot] nice this ..
[/ot]area51 forum wrote:At least one new post has been made to this topic. You may wish to review your post inlight of this.
Re: Attachments are unsafe ?
Yeah allright, but if I rename my .exe (for windows servers) to .jpg and that file contains a virus, then the whole server will be infected ?
I know it's possible to rename them because I did it on my local server with an html-file.
I know an html-file can't do much wrong, but imagine if someone uploads a file with a virus or something ?
Or is it really safe ?
I know it's possible to rename them because I did it on my local server with an html-file.
I know an html-file can't do much wrong, but imagine if someone uploads a file with a virus or something ?
Or is it really safe ?
Greetzzz,
Nullius
Nullius
-
- Registered User
- Posts: 150
- Joined: Tue Sep 28, 2004 7:36 pm
- Location: Løst in the net ;)
- Contact:
Re: Attachments are unsafe ?
ok ... Let's suppose that a bad guy want upload a virus on your windows server and you have no antivirus running on your server.
he uploads the file as winrar.exe.jpg and the virus is in your home .
there should be troubles for your server if he can make the virus running on your server.
from a theoretical point of view this should never happen 'cause uploaded files are only saved on a folder in your server (with a different extension). they're not running.
(on the other hand there could be surely troubles for your users if they download such files without an updated antivirus)
[hope it could help ... plz correct me if i'm wrong ]
he uploads the file as winrar.exe.jpg and the virus is in your home .
there should be troubles for your server if he can make the virus running on your server.
from a theoretical point of view this should never happen 'cause uploaded files are only saved on a folder in your server (with a different extension). they're not running.
(on the other hand there could be surely troubles for your users if they download such files without an updated antivirus)
[hope it could help ... plz correct me if i'm wrong ]
- thedrumchannell
- Registered User
- Posts: 26
- Joined: Wed Dec 15, 2004 5:34 am
- Location: Phoenix, Arizona
- Contact:
Re: Attachments are unsafe ?
Hey,
and even if you still feel very nervous about this feature in 2.2 remember that you will be able to simply disable it. Most likely there will be no way that an .exe will be able to run from the sever anyway because the only time that the user gets the file is by VIEW only in the topics of the forum.
Another thing is that you may choose which extentions to allow/ban ect. I really don't think that you should fear this. Hope this helps.
and even if you still feel very nervous about this feature in 2.2 remember that you will be able to simply disable it. Most likely there will be no way that an .exe will be able to run from the sever anyway because the only time that the user gets the file is by VIEW only in the topics of the forum.
Another thing is that you may choose which extentions to allow/ban ect. I really don't think that you should fear this. Hope this helps.
"Study to shew thyself approved unto God, a workman that needeth not to be ashamed, rightly dividing the word of truth." 2 Timothy 2:15
Thedrumchannell
Prophecy Talk - World News & Bible Prophecy Information
Thedrumchannell
Prophecy Talk - World News & Bible Prophecy Information
Re: Attachments are unsafe ?
If someone uploads a .exe.jpg how the hell is he supposed to execute it? It is unable to
For the rest you should just disable all dangerous extensions like .exe, .bat, .com, .scr, .php, .pl, .cgi, .htm, .html, .js, .vbs etc...
For the rest you should just disable all dangerous extensions like .exe, .bat, .com, .scr, .php, .pl, .cgi, .htm, .html, .js, .vbs etc...
-
Re: Attachments are unsafe ?
Yeah thanks for the help everyone.
Indeed, I figured out after some testing that it's quite safe for executable files etc.
BUT: I was able to 'run' a hmtl-file on my server, just by renaming the file to test.jpg (so the board thought it was an image).
Then I was able to open the HTML-file without any problem.
I know some HTML can't harm anyone, but I don't know the real powers of Javascript.
Is it possible with javascript to delete files and stuff ?
I only use javascript for small things, never gave it a thought if it could delete or change files.
If Javascript can't do anything wrong, then the feature is quite safe I think ...
I do have an extra security check, but I'll post that when the beta is released
Thanks for the replies so far
Indeed, I figured out after some testing that it's quite safe for executable files etc.
BUT: I was able to 'run' a hmtl-file on my server, just by renaming the file to test.jpg (so the board thought it was an image).
Then I was able to open the HTML-file without any problem.
I know some HTML can't harm anyone, but I don't know the real powers of Javascript.
Is it possible with javascript to delete files and stuff ?
I only use javascript for small things, never gave it a thought if it could delete or change files.
If Javascript can't do anything wrong, then the feature is quite safe I think ...
I do have an extra security check, but I'll post that when the beta is released
Thanks for the replies so far
Greetzzz,
Nullius
Nullius