问题
On my site, I have an ability for users to upload a file into the server and be able to view all uploaded files in a directory called "public uploads" where users can view all files that's been uploaded by other users. It's the Apache directory page where it says "Index of /uploads". It's sort of a file sharing hub where people can download and share other people's files.
Would there be any security issues with this? Can a user, say, upload a malicious PHP script, and execute it from the client side?
How can I resolve these issues, should they exist?
回答1:
Possibly, it all depends on server, PHP and Apache configuration.
See OWASP's Unrestricted File Upload vulnerability page for some of the risks:
- The impact of this vulnerability is high, supposed code can be executed in the server context or on the client. The likelihood of a detection for the attacker is high. The prevalence is common. As a result the severity of this type of vulnerability is High.
- The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, and exploit the local vulnerabilities, and so forth. This may also result in a defacement.
- An attacker might be able to put a phishing page into the website.
- An attacker might be able to put stored XSS into the website.
- This vulnerability can make the website vulnerable to some other types of attacks such as XSS.
- Picture uploads may trigger vulnerabilities in broken picture libraries on a client (libtiff, IE had problems in the past) if the picture is published 1:1.
- Script code or other code may be embedded in the uploaded file, which gets executed if the picture is published 1:1.
- Local vulnerabilities of real-time monitoring tools, such as an antivirus, can be exploited.
- A malicious file (Unix shell script, windows virus, reverse shell) can be uploaded on the server in order to execute code by an administrator or webmaster later -- on the server or on a client of the admin or webmaster.
- The web server might be used as a server in order to host of malware, illegal software, porn, and other objects.
See my other post for some general guidelines on making file uploads safe.
回答2:
Allowing users to upload files to a public folder does not pose a risk for your server. They cannot run these files on your server.
It does pose a risk for users that download any of these files. These files may contain a virus or malware. Opening any of these files is a high security risk for your users. Not sure you're doing them a favor offering such a feature.
来源:https://stackoverflow.com/questions/29441871/would-a-public-upload-folder-be-a-security-issue