Hacker News new | ask | show | jobs
by jacquesm 4406 days ago
Even if it does not show anything to other users, just having the wrong extension can already bite you badly.

Uploading php files instead of images has been used to gain access to machines. Anything that gets stored as a file on the filesystem of the destination machine is a huge risk. All it takes is one little misconfiguration somewhere else and you're wide open.
2 comments
meowface 4406 days ago
Not to mention that many Apache configurations will use mod_mime, which by default enables multiple extensions.

So if someone uploads a file called `image.php.jpg`, the file is executed by Apache as PHP code. And obviously verifying the MIME type or even the content of the file won't help you here, since you can just write a JPEG header and then throw in `<?php system("..."); ?>` after it.

Even when you think you're safe based on what you'd consider to be obvious assumptions ("the file extension is whatever comes up after the last period"), there are weird things like this that might bite you.

link
teach 4406 days ago
This is only if you subsequently give them a link to what they uploaded, correct?

I have a site that allows uploads (students turning in Java files) but the files are just stored in a folder on the server that isn't in the web-served path. They can't see the file again once uploaded. I assume (and I think rightly) that there's no security risk in my case.

link
meowface 4406 days ago
It depends on the kind of application, but for the most part you are right. If a file is saved to a path that is not part of the "web root", then it is unlikely that any vulnerabilities will be introduced.

Just make sure it is a hardcoded path, and not one that users can manipulate in any way (a filename of "../../../../file.java" for example). And if there is some other interface that reads files from that directory and outputs them to a page, that will also need to be secured against XSS.

link
rurounijones 4406 days ago
As long as you read the files before you execute them.

Otherwise some bad actor could write a virus / local exploit into their submission which will execute when you compile and run the file.

link
teach 4406 days ago
I never execute them. I just grade them by reading the code. Running them takes FAR longer than reading.
link
rurounijones 4406 days ago
Are these exceedingly simple programs 10 line programs? Otherwise:

How do you know they compile?

How do you know they work?

How do you know they handle all the edge cases you can throw at them.

If you have a 100% accurate parser and compiler in your head, I am impressed.

Our teachers (and this was 15 years ago) had test-runners which would compile and run our programs to make sure they met the requirements of the homework THEN they looked at the code and marked it for style etc.

Sometimes they provided these test runners to us so we could check them ourselves, sometimes they didn't (this was, naturally, harder).

link
goblin89 4406 days ago
Obviously such workflow, while being fairer, requires a reliable sandbox of some kind—even though one might argue that in a university such things may be of less importance and that allowing for some degree of hacking is educational and perhaps should even be tacitly encouraged, still you'd want to make sure that when students break your system they can't go Bobby Tables on it or dump everyone's private data on black market.
link