On Insecure uploads
11 October 2008
It is a common requirement these days for web applications to allow and provide users with a file upload interface.
You may want to allow your users upload and share images or documents. Handling user provided files is dangerous and the files should be treated with utmost care.
How was my website hacked/defaced ?
The intruder using the poorly secured interface uploads a file, the file is saved in a predictable location, accessible through the web and, most important, the file name stays unmodified.
If these conditions are met, the attacker can upload a prepared file and later request it from the web server by simply typing in his browser the URL to the uploaded file, example: http://victim.com/uploads/myexploit.php .
Basically the attacker uploads an script providing a file manager or shell-like interface which will allow him to execute commands in the security context of your web application. Depending on the capabilities of the web server, he could upload an ASP or PHP script, coded his own or find one in milw0rm.com. If he could get the server to execute a .cgi, .exe or .dll file the possibilities are broader.
Usually it will give the attacker enough to at least browse and read any files within your own application's reach. As a bonus he could also obtain write/delete privileges and things could get nastier. He could simply substitute your homepage with a "Here waz 3lite haxor!" and list your site in zone-h.org or worst he could start serving spy-ware and/or mount another attack from your web server.
How to prevent it?
There are several specific solutions to this, depending on platform, web server, technology combination. I will describe a general approach:
For performance reasons you may want to rely on the web server capabilities to serve static content like images and documents. In this case we would expose the uploads folder through the web server either by placing the folder under the root of the web site or creating a virtual directory pointing to the folder. If the files are served directly by the server we then must make sure these files are never executed or invoked by the server as it would be the case if the file had a .ASP or .PHP extensions. The following measures should be taken towards avoiding hosting or executing a maliciously injected script.
You may want to allow your users upload and share images or documents. Handling user provided files is dangerous and the files should be treated with utmost care.
How was my website hacked/defaced ?
The intruder using the poorly secured interface uploads a file, the file is saved in a predictable location, accessible through the web and, most important, the file name stays unmodified.
If these conditions are met, the attacker can upload a prepared file and later request it from the web server by simply typing in his browser the URL to the uploaded file, example: http://victim.com/uploads/myexploit.php .
Basically the attacker uploads an script providing a file manager or shell-like interface which will allow him to execute commands in the security context of your web application. Depending on the capabilities of the web server, he could upload an ASP or PHP script, coded his own or find one in milw0rm.com. If he could get the server to execute a .cgi, .exe or .dll file the possibilities are broader.
Usually it will give the attacker enough to at least browse and read any files within your own application's reach. As a bonus he could also obtain write/delete privileges and things could get nastier. He could simply substitute your homepage with a "Here waz 3lite haxor!" and list your site in zone-h.org or worst he could start serving spy-ware and/or mount another attack from your web server.
How to prevent it?
There are several specific solutions to this, depending on platform, web server, technology combination. I will describe a general approach:
For performance reasons you may want to rely on the web server capabilities to serve static content like images and documents. In this case we would expose the uploads folder through the web server either by placing the folder under the root of the web site or creating a virtual directory pointing to the folder. If the files are served directly by the server we then must make sure these files are never executed or invoked by the server as it would be the case if the file had a .ASP or .PHP extensions. The following measures should be taken towards avoiding hosting or executing a maliciously injected script.
- Require authentication to access the files.
- Check the file extension against a list of allowed extensions and not allowed extensions.
- Make sure your own scripts extension is included in the not allowed extensions list.
- Save the file with a random generated name and track it in a database.
- Web Server: Disable Script Execution and Directory Browsing in the uploads (virtual) directory.
- File System: Remove Modify/Delete from any ACLs under your web folder.
- File System: Remove Execution from any ACLs in the upload folder. Really you shouldn't need Execution anywhere on the web content unless you were using CGIs.
- Anti Virus: It is wise to have an anti-virus monitoring your upload folder.
- Visual Inspection: Check whats in the upload folder once in a while. I'm sure that naively named file filemanager.php will call your attention.
blog comments powered by Disqus