[Dshield] Uploads to Apache

Johannes B. Ullrich jullrich at sans.org
Thu Jan 6 22:58:47 GMT 2005

> I have provided a document upload from a
> feedback form confirmation page (using php) to offer an opportunity to
> provide opposing points of view.
> Does this seriously compromise security?

Depends ;-)

The main problem with file uploads is usually where the file ends up in your 
file system. For example, if the file is inside your webservers document 
root, the attacker could upload a malicious php script, then point the 
browser to the URL of the script and execute it.

Typically, you should save the uploaded file in an area that is not inside the 
webroot or the php include path.

I typically prefer to generate my own filenames, and do not use the filename 
provided by the person uploading the file. This way, you avoid various issues 
with attackers using '..' in their files to escape from the directory you 
designated for uploads.

If you need access to the file via your web browser, you can setup a small 
script to pull the file. Or, if you have to, you can place the file inside 
your webroot, but inside a password protected directory.

Many web based photoalbum packages have the problem that allow users to upload 
arbitrary files and later 'view' them via the album (and as a result, the 
included php code is executed). These cases are a bit harder to deal with. 
Typically, you can just fix the extension to something that is not parsed by 

Johannes Ullrich, jullrich at sans.org                   
CTO, SANS Internet Storm Center, http://isc.sans.org

More information about the list mailing list