The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
Article Feedback - upload files via http
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Previous Message  |  Next Message 
 Security issues with this script
Author: C Morris 
Date:   17-01-03 19:42

It seems to me there are 2 issues with this script:

1) The size of the uploaded file is checked _after_ the upload has been done. If it is too large it is removed. However, by this time the file has already been written to disk. The ramifications here are significant.

For example:

MAXIMUM_UPLOAD = 100M
WWW partition size = 500M

User uploads a 5GB file. Since the file size is checked _after_ the upload the available disk space on the www partition has been filled. Potential server crash.

2) No maximum specified on number of files that can be uploaded.
Similar to the previous issue.

For example:

MAXIMUM_UPLOAD = 100M
www partition size = 500M

User Upload 10 x 100M files. Same result as issue 1.

These issues are not insurmountable but they should be taken into consideration by anyone who plans to post this script to their www server. Beware of blindly adding 3rd party scripts to your http server.

 Reply To This Message  |  Forum List  |  Flat View   Newer Topic  |  Older Topic 

 Topics Author  Date
 Security issues with this script   new
C Morris 17-01-03 19:42 
 Re: Security issues with this script   new
Russ 21-06-10 07:45 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org