[5049] in WWW Security List Archive
Re: WWW/CGI Security Concerns w/ File Upload
daemon@ATHENA.MIT.EDU (tk)
Sun Apr 13 05:32:01 1997
Date: Sat, 12 Apr 1997 23:33:36 -0800
To: www-security@ns2.rutgers.edu
From: tk@alliancestudio.com (tk)
Errors-To: owner-www-security@ns2.rutgers.edu
I use file uploads, and I wasn't quite able to make a connection between my
use of the feature and these questions.
Just to make sure we are talking about the same thing, let me ramble a bit.
File uploads are done by using a combination of <FORM
ENCTYPE=multipart/form-data ...> and <INPUT TYPE=FILE ...> tags inside a
form.
The file is sent to the server, which forwards it to the chosen CGI.
The CGI must read the multipart contents and extract the file.
The CGI then writes the contents to a file or some other application like mail.
Any security issues which would be involved have to be handled inside the CGI.
Are we talking about the same file upload feature, or is there some other
file upload feature I don't know about?
Or are there security concerns involved with the feature which I don't know
about?
P.S. does the <INPUT TYPE=FILE> type file upload work with Microsoft Explorer?
We only use the feature internally so I never needed to test it.
Thanks,
Troy
>I have a question for those of you who know the Apache web server. I
>am working on a listing of resumes for students in my college which will
>be searchable via a cgi search engine.. As part of this, I would like to
>allow students to upload a copy of their resume using the Netscape file
>upload features but want to make sure that all SSIs and cgi access in that
>directory is turned off..
>
>1. If this gets inserted into the access.conf file will it turn off all
>of the options that I want in that directory...
>
><Directory /home/webhome/{resume_directory}>
>Options None
></Directory>
>
>or could I give myself the ability to change these options with .htaccess
>by putting this in the access.conf
>
><Directory /home/webhome/{resume_directory}>
>AllowOverride Options
></Directory>
>
>and putting a .htaccess file in the directory containing
>
>Options None
>
>Are my interpretations of the Apache docs & configurations correct in
>these instances..
>
>
>2. Alternatively, because I don't have direct access to root.. Does
>anyone have any suggestions to what I should search for when uploading the
>files.. I know to remove any the SSIs and not let them download to a file
>name that is mapped to a Handler.. Any other suggestions for possible
>malicious coding...
>
>Thanks for your time..
>
>Matthew Petteys
>mpettey@bgnet.bgsu.edu
Troy Korjuslommi ALLIANCE STUDIO [WEST]
Technical Director/Webmaster http://www.alliancestudio.com/
e. tk@alliancestudio.com ph. (310) 458-0884
fx. (310) 395-5741
* * * LAUNCHED APRIL 3RD, 1997 * * *
S T A R L I G H T F O U N D A T I O N
- - Benefiting over 42,000 children each month - - http://www.starlight.org - -
