xupload security

watcha · Joined: 08 Oct 2006 Posts: 12

I just installed the free version and it makes a quite good impression.

1.)
How should I chmod the cgi and pm files in the cgi-bin/xupload path?

2.)
I am just wondering about security issues.
Which possible leaks there are currently, which can be result in malicious usage by hackers etc.

I want to allow registered users of my portal to upload media files. But my portal users can be anyone like anonymous users.

Is Xuoad secure enough to use it for such project?
I need to make sure that the users can not hoodwink Xupload and load for example files into my directory which would allow them to hack my server.

Thank you very much in advance.
With kind regards

PilgrimX182 · Posted: Oct 09, 2006 1:19 pm Post subject:

1) .cgi to 755, .pm to 744

2) When we created XUpload we were thinking about security too, so it's pretty safe(hackers won't be able to upload file to another folder except specified in config)

But you have to customize it to check for User cookie or session_id. So you need authorization inside upload.cgi script.

watcha · Joined: 08 Oct 2006 Posts: 12

Thank you for your quick respond! XUpload makes still a very good impression. An belive me I spent already several days on testion upload engines. I have a few more questions before my final decision.

1. I have set my *.pm to 644 and it works.

2.
Could XUpload be utilized by hackers that way, that they upload a file with an allowed extension and rename the extension somehow to cgi extension to execute it than and to damage my webportal?

3.
Is it possible for hackers to download files from the upload folder (folder to which my portal users upload their files)? I do not want to allow download.

Because that way it would make sense for hackers to use my webserver as a storage for hacked uploads and downloads. But if they are only able to upload but not download the interest of doing so would not be as big.

Thank you very much in advance.

PilgrimX182 · Posted: Oct 10, 2006 5:16 am Post subject:

1. Yes, 644 works too, I guess even 444 will work fine, but you won't be able to delete the file, only after chmod Smile

But you can use it to be hackerproof.

2. Don't think they will be able to do this.

3. It's up to you actually. Depends on where upload folder is. If it's in htdocs hackers will be able to download files. I reccomend to put upload dir to folder not available from browser(not htdocs), and send files to your users from PHP, there are tons of scripts(antileech scripts).

Thanks for choosing XUpload.

watcha · Joined: 08 Oct 2006 Posts: 12

Currently I am uploading the files to a folder which is in html/cgi-bin/uploadfinished.

Trying to access this folder, even when typing in the correct filename it just shows an error.

E.g. when trying to access the uploaded file via:
www.mytestsite.com/cgi-bin/uploadfinish/big-file.zip

The user gets:

The server encountered an internal error and was unable to complete your request.

Error message:
Premature end of script headers: big-file.zip

I think this is save enough. Please correct me if I am wrong.
Thank you very much in advance.

PilgrimX182 · Posted: Oct 11, 2006 6:10 am Post subject:

That is correct. You can download files only from htdocs.

hanji · Joined: 10 Nov 2006 Posts: 36

PilgrimX182 · Posted: Nov 10, 2006 6:15 am Post subject:

Thanks hanji,
I have this feature in mind and have module to do this using file headers. No need to install it, so everything will be fine. Look for it forward in next release.

hanji · Joined: 10 Nov 2006 Posts: 36

Nice.. I'm looking forward to it.

hanji