Secure Attachments/Uploads

I was curious as to all the warnings about security on in the admin pages for uploads and attachments and once I'd done some playing on my test forum, realised why. The implementation is very basic to say the least. To bring it up to scratch with the quality of the rest of the forum, I've been having a play at work today to make a more secure version that people won't have to be afraid to use.

Rather than giving hackers your front door key by letting them know where you have a writable directory, the version I've come up with uses an ASP page to deliver the file to you whilst hiding it's true origin on your server. This theorectically could be a directory under your webroot level (similar to securing your Access database if you use one). It's based on some work I was doing with the photo album to stop people leaching images off my site. I've also come up with some forum tags [attach] [/attach] to "process" the attachment. The attachments are managed within a new table in your database and each user has their own upload area rather than the shared one that seems to be the case with the standard issue. I can see that shared folder getting very messy!! Also by using the ASP page to deliver the file, I'll be able to stop Guests from d/ling the attachment, if required.

I've two options here 1) Quick and dirty to get it working for me on my forum or 2) Do it properly for other people to use it as a Mod.

If anyone else is interested in this, let me know and I'll work on it as a proper Mod.

I'm not a huge fan either which is why I'm migrating from Snitz to WWF. WWF has all the features I want as standard that you have to mod into Snitz (that and a better schema amongst other things ).

Using the table to track the attachments should mean it's fairly easy to delete files, I've included the author_id and thread_id even though it's all in the very early stages.

Edited by MrMellie - 27 December 2006 at 10:14pm

The upload support will have a major overhaul when Galleries are added.

However, having an upload directory with write permissions enabled isn't that bigger security risk, the security risk lies more in if you enable write permissions over your whole site and a hacker uploads an 'unsafe' file to the server which gives them control to overwrite your files thus defacing your site.

Web Wiz Forums actually has allot of security built in with this regards, with more being added in 8.05, which prevents unsafe file types being uploaded to the server using Web Wiz Forums, so having write permissions enabled on the upload directory or even someone knowing where it is should not be a big security issue.

It sounds like the solution you have come up with uses the ADO stream object to deliver the files to the user, this in itself has security issues and quite a number of hosts disable the use of this object due to security issues, so would need careful consideration before implementing such a solution in a final product.

Those bulletin boards are written using PHP which would use different methods than ASP based forums and usually on Linux which has a different security and permissions system to windows.

The security warning in the downloads page was placed in for version 7 and maybe should have been updated. The reason for this stern warning is that if a hacker gained control of the admin area they could change the upload configuration to allow other files such as an unsafe ASP file to be uploaded which could then be used to delete or deface the entire site if write and modify permissions were enabled on the entire site.

However, version 7.96 and version 8.x have protection against this. You now can not set 'unsafe' file types in the file upload configuration in the admin area, so a mistaken admin or a hacker can not manipulate the upload tool to upload unsafe file types and gain control of the server that way.

For the next version the security warning on the upload configuration page has been changed to:-

Security Warning - Best Practice Allowing users to upload their own files and images requires that write and modify permissions are enabled on the upload directory for the Internet User Account (IUSR). The best practice for this is to ONLY allow write and modify permissions on the upload directory and 'read only' permissions for the rest of your web site. In the event that your site comes udder attack form a hacker who manages to gain control through the IUSR account, this measure prevents the hacker from destroying or defacing the rest of your web site.

The upload tool does already have allot of protection built in for checking file types to make sure that unsafe files are not uploaded, and version 8.05 goes even further and checks inside of the uploaded file for mime changes which could be used to manipulate client side web browsers.

So all in all the upload tools are pretty safe, and I have not heard of any sites being hacked at all when using version 8.  As long as people follow security instructions and run the latest version then the chances of being hacked are virtually none.