mwoolley Posted April 10, 2004 Posted April 10, 2004 I have a file upload script that is straight from the PHP manual (see below). It works great, but only if I set the permissions on the uploads directory to be 777. This doesn't seem real secure. I've researched this issue in the PHP forums and people talk about setting the security on the upload directory so that user 'nobody' (user Apache runs under) can write it. I'm a Unix newby, but I can't see any option in the cpanel to do that. Any ideas? <?php // In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead // of $_FILES. $uploaddir = 'uploads/'; $uploadfile = $uploaddir . $_FILES['userfile']['name']; print "<pre>"; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { print "File is valid, and was successfully uploaded. "; print "Here's some more debugging info:\n"; print_r($_FILES); } else { print "Possible file upload attack! Here's some debugging info:\n"; print_r($_FILES); } print "</pre>"; ?> Quote
MikeJ Posted April 11, 2004 Posted April 11, 2004 There really isn't a way around it with PHP. The php pages run under the webserver user "nobody" so you have to leave the directory the upload process writes to as world writable. You can't change the owner of your directories, and even changing the owner to nobody would do little for your security, since everyone on the same server has access to the nobody user through their web pages. You could look into alternative methods that allow uploads via cgi so it can run as your user account, but that has it's own security issues (and in my opinion, more serious security issues). Uploading in general via a web page is inherently insecure for the directories people are allowed to upload to. Quote
mwoolley Posted April 11, 2004 Author Posted April 11, 2004 I experimented with different settings on the Execute permission, but it seems to need to be World executable as well. Why is that? I've restricted the types of files that can be uploaded to only image file types, but if I wasn't doing that, it seems someone would be able to upload an executable file and trash my web site with it. Quote
TCH-Bruce Posted April 11, 2004 Posted April 11, 2004 1. It has to be world executable to allow uploads into it and it is a directory not a file. 2. These are Linux servers and will not execute .EXE files. But they could upload a CGI script written in Perl, PHP or Javascript that could mess with your site. You should be able to write something that only allowed certain file extensions to be uploaded. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.