Attachments are unsafe ?

[Nullius]

While trying the new features of phpBB 2.1, I noticed the new feature allowing users to post attachments.
I was wondering, isn't that unsafe ?

You allow every user to upload every file.
I know there are restrictions like extensions and permissions etc ... but if you just rename your file, you can easily upload every file.

I mean, if that file is a script of some kind, isn't there any possibility that uploads are unsafe ?
If the user can somehow execute a script on the server giving him root-powers ... I don't wanna be responsible for the consequences.

Am I totally paranoid or is it actually a bit unsafe ?

Thanks and come again

[APTX]

If you open all attachements in your mail it won't be any different to you.

[delos]

If you open all attachements in your mail it won't be any different to you.

now that would be very dangerous.

i don't think the board attachments would be hazardous. i am sure there are different protection systems built in. file type can be obtained even if the extension is wrong and afaik you cant execute a php script unless it is in a .php file.

[Martin Blank]

While trying the new features of phpBB 2.1, I noticed the new feature allowing users to post attachments.
I was wondering, isn't that unsafe ?

Not really. First of all, you can always restrict who can upload files. I know that on my forum, there will be a very detailed discussion on who will get such privileges.

Second, uploading the files does not make them executable. They have to be provided the appropriate permissions on Linux, and on Windows need to have an executable file extension. Further, even on Linux code relies on extensions to determine how it is to be executed. For example, when I run the following code from /files/test.jpg, permissions 644:

Code: Select all

<?php

include "../config.php";
echo $dbuser;

?>

Firefox produces an error, and IE shows the code text, because Apache is trying to send image information and the browser gets text. Notice, however, that no results are displayed.

[-jm-]

Simple ... if you notice that a user is abusing of his privilege ... no more attachment in forum for him .
Or (more safe) ... giving attach privilege only to trusted folks (and revoke it to abusers).

If a user doesn't have attach privilege, he can't see attach panel

They cannot execute scripts attaching a php (for example) without its proper extension . If they attach a php script with double extension (for example ... howdarkexploit.php.txt) the script is only a text file, then not executable directly from your server.

Hope it could help

[ot] nice this ..

At least one new post has been made to this topic. You may wish to review your post inlight of this.

[/ot]

[Nullius]

Yeah allright, but if I rename my .exe (for windows servers) to .jpg and that file contains a virus, then the whole server will be infected ?
I know it's possible to rename them because I did it on my local server with an html-file.
I know an html-file can't do much wrong, but imagine if someone uploads a file with a virus or something ?

Or is it really safe ?

[-jm-]

ok ... Let's suppose that a bad guy want upload a virus on your windows server and you have no antivirus running on your server.

he uploads the file as winrar.exe.jpg and the virus is in your home .
there should be troubles for your server if he can make the virus running on your server.
from a theoretical point of view this should never happen 'cause uploaded files are only saved on a folder in your server (with a different extension). they're not running.

(on the other hand there could be surely troubles for your users if they download such files without an updated antivirus)

[hope it could help ... plz correct me if i'm wrong ]

[thedrumchannell]

Hey,

and even if you still feel very nervous about this feature in 2.2 remember that you will be able to simply disable it. Most likely there will be no way that an .exe will be able to run from the sever anyway because the only time that the user gets the file is by VIEW only in the topics of the forum.

Another thing is that you may choose which extentions to allow/ban ect. I really don't think that you should fear this. Hope this helps.

[olger901]

If someone uploads a .exe.jpg how the hell is he supposed to execute it? It is unable to

For the rest you should just disable all dangerous extensions like .exe, .bat, .com, .scr, .php, .pl, .cgi, .htm, .html, .js, .vbs etc...

[Nullius]

Yeah thanks for the help everyone.

Indeed, I figured out after some testing that it's quite safe for executable files etc.
BUT: I was able to 'run' a hmtl-file on my server, just by renaming the file to test.jpg (so the board thought it was an image).
Then I was able to open the HTML-file without any problem.

I know some HTML can't harm anyone, but I don't know the real powers of Javascript.
Is it possible with javascript to delete files and stuff ?
I only use javascript for small things, never gave it a thought if it could delete or change files.

If Javascript can't do anything wrong, then the feature is quite safe I think ...

I do have an extra security check, but I'll post that when the beta is released

Thanks for the replies so far