Print Page | Close Window

Secure Attachments/Uploads Printed From: Web Wiz Forums Category: Web Wiz Web App Support Forums Forum Name: Web Wiz Forums Modifications Forum Description: Mod's and Add-on's for Web Wiz Forums. URL: https://forums.webwiz.net/forum_posts.asp?TID=22283 Printed Date: 30 March 2026 at 3:54am Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com Topic: Secure Attachments/Uploads Posted By: MrMellie Subject: Secure Attachments/Uploads Date Posted: 27 December 2006 at 8:55pm I was curious as to all the warnings about security on in the admin pages for uploads and attachments and once I'd done some playing on my test forum, realised why. The implementation is very basic to say the least. To bring it up to scratch with the quality of the rest of the forum, I've been having a play at work today to make a more secure version that people won't have to be afraid to use. Rather than giving hackers your front door key by letting them know where you have a writable directory, the version I've come up with uses an ASP page to deliver the file to you whilst hiding it's true origin on your server. This theorectically could be a directory under your webroot level (similar to securing your Access database if you use one). It's based on some work I was doing with the photo album to stop people leaching images off my site. I've also come up with some forum tags [attach] [/attach] to "process" the attachment. The attachments are managed within a new table in your database and each user has their own upload area rather than the shared one that seems to be the case with the standard issue. I can see that shared folder getting very messy!! Also by using the ASP page to deliver the file, I'll be able to stop Guests from d/ling the attachment, if required. I've two options here 1) Quick and dirty to get it working for me on my forum or 2) Do it properly for other people to use it as a Mod. If anyone else is interested in this, let me know and I'll work on it as a proper Mod. Replies: Posted By: dpyers Date Posted: 27 December 2006 at 9:40pm I'm not a big fan of mods as they usually turn out to be maintenance nightmares but I'd go for this one and eat the maintenance.  There a good number of forum sites out there that are oriented around pictures or file sharing. I think they'd be interested as well. ISTRC that one of the reasons Borg went to the new upload was issues with removing pics if users or posts were deleted. ------------- Lead me not into temptation... I know the short cut, follow me. Posted By: MrMellie Date Posted: 27 December 2006 at 10:14pm I'm not a huge fan either which is why I'm migrating from Snitz to WWF. WWF has all the features I want as standard that you have to mod into Snitz (that and a better schema amongst other things ). Using the table to track the attachments should mean it's fairly easy to delete files, I've included the author_id and thread_id even though it's all in the very early stages. Posted By: MrMellie Date Posted: 02 January 2007 at 7:21pm Been making headway with this but it's turning into a bigger project than I thought as avatars and image uploads are all tied in. What I've got so far works really well. It'll allow indidviduals to manage their own uploads and the admin to put restrictions on. Just wondered if Borg was already developing something like this for V9? If so I might knock it on the head and wait rather than duplicating work. If not, I'll carry on and we can then try and convince him to include it. Posted By: WebWiz-Bruce Date Posted: 02 January 2007 at 7:53pm The upload support will have a major overhaul when Galleries are added. However, having an upload directory with write permissions enabled isn't that bigger security risk, the security risk lies more in if you enable write permissions over your whole site and a hacker uploads an 'unsafe' file to the server which gives them control to overwrite your files thus defacing your site. Web Wiz Forums actually has allot of security built in with this regards, with more being added in 8.05, which prevents unsafe file types being uploaded to the server using Web Wiz Forums, so having write permissions enabled on the upload directory or even someone knowing where it is should not be a big security issue. It sounds like the solution you have come up with uses the ADO stream object to deliver the files to the user, this in itself has security issues and quite a number of hosts disable the use of this object due to security issues, so would need careful consideration before implementing such a solution in a final product. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting Posted By: MrMellie Date Posted: 02 January 2007 at 8:21pm ok. I got the impression from the security warning in the Image and File Upload Configuration screen that it was an issue. Security Warning - Please Read Allowing users to upload their own files and images requires that write and modify permissions are enabled on the upload directory. This can be a security issue as a hacker can use this to hack a web site. If you are concerned about security DO NOT ENABLE UPLOAD FEATURES!! You're absolutely right, I'm using ADO streaming. Off to Google on the security issues! Seemed like a pretty sound solution at first. BTW, how do the big players like vBulletin and Invision etc handle this? I assumed they were streaming files? (I know they are PHP based...) Posted By: WebWiz-Bruce Date Posted: 05 January 2007 at 10:37am Those bulletin boards are written using PHP which would use different methods than ASP based forums and usually on Linux which has a different security and permissions system to windows. The security warning in the downloads page was placed in for version 7 and maybe should have been updated. The reason for this stern warning is that if a hacker gained control of the admin area they could change the upload configuration to allow other files such as an unsafe ASP file to be uploaded which could then be used to delete or deface the entire site if write and modify permissions were enabled on the entire site. However, version 7.96 and version 8.x have protection against this. You now can not set 'unsafe' file types in the file upload configuration in the admin area, so a mistaken admin or a hacker can not manipulate the upload tool to upload unsafe file types and gain control of the server that way. For the next version the security warning on the upload configuration page has been changed to:- Security Warning - Best Practice Allowing users to upload their own files and images requires that write and modify permissions are enabled on the upload directory for the Internet User Account (IUSR). The best practice for this is to ONLY allow write and modify permissions on the upload directory and 'read only' permissions for the rest of your web site. In the event that your site comes udder attack form a hacker who manages to gain control through the IUSR account, this measure prevents the hacker from destroying or defacing the rest of your web site. The upload tool does already have allot of protection built in for checking file types to make sure that unsafe files are not uploaded, and version 8.05 goes even further and checks inside of the uploaded file for mime changes which could be used to manipulate client side web browsers. So all in all the upload tools are pretty safe, and I have not heard of any sites being hacked at all when using version 8.  As long as people follow security instructions and run the latest version then the chances of being hacked are virtually none. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Print Page | Close Window Forum Software by Web Wiz Forums® version 12.08 - https://www.webwizforums.com Copyright ©2001-2026 Web Wiz Ltd. - https://www.webwiz.net