| View previous topic :: View next topic |
| Author |
Message |
BMN
-
Joined: 16 Jun 2005
Posts: 16
|
 Posted: Sat Feb 18, 2006 4:13 pm Post subject: Webfilebrowser security |
 |
|
I've often seen suggestions in this forum that webfilebrowser is a good file upload script to use with Abyss. I've set it up and it's working well, but I have one question about security.
It seems that it's possible for a visitor to upload a .php file and then visit it, possibly giving them access to the entire filesystem.
Is there a way to prevent this either with webfilebrowser or Abyss? Is there a more secure file upload script available somewhere with the same functionality?
My situation is this: I want to have a file upload page open to the public and without passwords, but I want it to be secure.
________
host and design
Last edited by BMN on Fri Feb 04, 2011 5:35 am; edited 1 time in total |
|
| Back to top |
  |
 |
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
| Posted: Sat Feb 18, 2006 11:40 pm Post subject: |
|
|
Can you post it so we can try to modify it?
_________________
 |
|
| Back to top |
    |
|
BMN
-
Joined: 16 Jun 2005
Posts: 16
|
|
| Back to top |
|
|
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
| Posted: Sun Feb 19, 2006 11:12 am Post subject: |
|
|
I don't think you can disable CGI execution on abyss. (But I may be wrong.)
This however, should stop php files from being uploaded.
| Code: | //Line 137 (Add this to a new line.)
$banned_extensions = array("x-httpd-php" => "php", "application/x-perl" => "cgi");
//Customize as needed.
//Line 340 (Add this to a new line.)
"illegalfile" => "You're not allowed to upload this type of file.",
//Line 1146 (Add this to a new line.)
if (array_key_exists($HTTP_POST_FILES["file"]["type"], $banned_extensions) || in_array(preg_replace("/^(.*?)\.(.*?)$/", "\\2", strtolower($HTTP_POST_FILES["file"]["name"])), $banned_extensions))
redirectWithMsg("warning", "illegalfile");
//Line 1169 (Add this to a new line.)
$parsed_url = parse_url(strtolower($url));
if (in_array(preg_replace("/^(.*?)\.(.*?)$/", "\\2", $parsed_url[path]), $banned_extensions))
redirectWithMsg("warning", "illegalfile"); |
It could be much cleaner, but that's just something small I knocked up.
You can get the full file here. I'm sure someone's willing to clean it up for you or whatever.
_________________
|
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Sun Feb 19, 2006 1:55 pm Post subject: Re: Webfilebrowser security |
|
|
BMN,
You can restrict the directories where PHP files can be executed by changing the Script Paths table.
Let's say your script is in /wfb and you want to have .php files exectable only there. Go to your PHP interpreter declaration, uncheck "Automatically update the script paths". Next add /wfb/*.php to your Script Paths table.
With these settings, only .php files inside /wfb are executed. Any other .php file in the other folders will be served as a normal file.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
 |
|
jannuh
-
Joined: 01 Nov 2005
Posts: 14
Location: the Netherlands
|
| Posted: Sun Feb 19, 2006 3:50 pm Post subject: |
|
|
Use WFB too, but only with restricted access.
Is it dangerous this way???
(i can trust the users with password)
PHP is a foreign language for me, so I don't want to alter the php files.. |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Mon Feb 20, 2006 11:11 am Post subject: |
|
|
jannuh,
Never trust people or give them the slightest possibility to mess with your server (even by mistake). :-)
The solution we suggested does not involve any PHP changes. It's only a simple update of your configuration to make it more restrictive when it comes to PHP execution.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
BMN
-
Joined: 16 Jun 2005
Posts: 16
|
| Posted: Mon Feb 20, 2006 1:26 pm Post subject: Re: Webfilebrowser security |
|
|
| aprelium wrote: | | .php file in the other folders will be served as a normal file. |
The problem is that the files are uploaded into the same directory as webfilebrowser.php, so if I made that change it would also disable that script. Is there any way around that? Can I just add webfilebrowser.php to the Script Paths table?
Thanks MonkeyNation for your help too, I will have a look at that code. One problem i foresee with this approach is a user upload a .txt file and renaming it to .php. However I might be able to disable the renaming ability.
________
vaporizer manufacturer
Last edited by BMN on Fri Feb 04, 2011 5:36 am; edited 1 time in total |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Mon Feb 20, 2006 1:30 pm Post subject: Re: Webfilebrowser security |
|
|
| BMN wrote: | | aprelium wrote: | | .php file in the other folders will be served as a normal file. |
The problem is that the files are uploaded into the same directory as webfilebrowser.php, so if I made that change it would also disable that script. Is there any way around that? Can I just add webfilebrowser.php to the Script Paths table? |
Yes that's possible. You can add a new Script Path and click the Browse next to the input field, locate webfilebrowser.php and validate.
Of course, do not forget to go to your PHP interpreter declaration and to uncheck "Automatically update the script paths". You may also need to manually add other Script Paths for other PHP scripts you may have on your server.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
BMN
-
Joined: 16 Jun 2005
Posts: 16
|
| Posted: Mon Feb 20, 2006 2:14 pm Post subject: Re: Webfilebrowser security |
|
|
| aprelium wrote: | | Yes that's possible. You can add a new Script Path and click the Browse next to the input field, locate webfilebrowser.php and validate. |
That worked nicely, thanks. I'm surprised that such an obvious potential exploit has always been possible with wfb.
________
weed vaporizer
Last edited by BMN on Fri Feb 04, 2011 5:36 am; edited 1 time in total |
|
| Back to top |
|
|
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
| Posted: Mon Feb 20, 2006 3:55 pm Post subject: Re: Webfilebrowser security |
|
|
| aprelium wrote: | BMN,
You can restrict the directories where PHP files can be executed by changing the Script Paths table.
Let's say your script is in /wfb and you want to have .php files exectable only there. Go to your PHP interpreter declaration, uncheck "Automatically update the script paths". Next add /wfb/*.php to your Script Paths table.
With these settings, only .php files inside /wfb are executed. Any other .php file in the other folders will be served as a normal file. |
Been a while since I've used abyss, should probably have looked that up or something, heh.
BMN -> Not so sure I'd rely on that too much, I didn't really test it.
_________________
|
|
| Back to top |
|
|
|
