A PHP Error was encountered

Severity: Warning

Message: call_user_func_array() expects parameter 1 to be a valid callback, class 'Articles' does not have a method 'dr_fetch'

Filename: libraries/Commonclass.php

Line Number: 464

File Uploading - The Safer Way (PHP Module) @ Pack Web Hosting

Tel: 91-81466-42977

Email: support@packwebhosting.com

Articles » File Uploading - The Safer Way (PHP Module)
Submitted by Admin on 24/Jul/2010 12:07
Security is probably the most important aspect of hosting services. People is this trade might have experienced themselves or may know someone who has had to go through the harrowing experience of website hacking/malware injection.

With respect to Linux Hosting, following scenarios exist
  1. PHP running as an Apache Module. Perl/CGI Scripts running as CGI suexec (our servers follow this scenario).
  2. PHP/Perl/CGI Scripts running as CGI suexec.


Here we will discuss the scenario # 1 where PHP runs as a module :
When PHP runs as an Apache module, it runs as the same user as the Apache. In most deployments, this user is user nobody. But when a PHP scripts tries to save a file, it is unable to save the file as the owner of the folder is the Linux/FTP User, not the Apache user. To circumvent it, the programmer needs to give 777 (read,write,execute - user,group,others) permission to the destination folder. So from security point its implications are as under :
  1. There is a folder in your directory tree to which everyone has writable permission.
  2. Within your script, if you do not enforce file type checks while uploading or if there is a vulnerability, a PHP file can be uploaded.
  3. If the PHP file gets uploaded, the attacker can run it using http://youdomain.cxm/images/test.php. So practically he can send a spam bomb or delete/update other files which have user nobody ownership. Also he can run an exploit impacting the server's functionality.


Steps that should be taken to prevent this scenario:
  1. Ensure you do not have any vulnerability in your code and it has been tested for all use cases/scenarios.
  2. While uploading files, check the file type and the mime type. Please kindly refer to - http://www.php.net/manual/en/features.file-upload.post-method.php. In no case the uploaded file's name should end with php or pl.
  3. If you are using 3rd party scripts like Wordpress, Joomla, Drupal etc., have them updated all the time. Maintainers of these scripts release their updated regularly.
  4. Also you can add following lines in the .htaccess of the folder where the files are uploaded to disable PHP/Perl scripts.

    ###########
    php_flag engine 0
    options - ExecCgi
    ###########

    Probably the above step is the most important one that one needs to undertake.
  5. And ofcourse take regular backups of your codebase and MySQL DBs.


I hope the information provided here will be of help to webmasters/programmers.

Kirti
Tags : file uploading, linux

Get HTTPS from Rs.750 onwards

Quick Links

Third Party Links

Joomla
Joomla
Wordpress
WordPress
Drupal
Drupal
Magento
Magento
CakePHP
CakePHP
OSCommerce
osCommerce
IMG 6
Popular Services
Quick Links
Third Party Links
Contact Us

© 2023 Pack Web Hosting Private Limited. All rights reserved.