Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
valdarez
Worker
Worker


Joined: Jan 22, 2007
Posts: 104

PostPosted: Wed Aug 01, 2007 3:45 pm Reply with quote

I am running the latest release of Raven Nuke and I would like to provide the ability for certain users to upload images to the website. I have read a ton of threads that discourage providing any type of upload capability what-so-ever. However, surely there is something out there that is safe? By any chance is there a module that the RavenNuke staff might not quantify or endorse as safe, but would suggest as the best/safe module to achieve the image upload/display functionality?

Thanks!
 
View user's profile Send private message
FireATST
RavenNuke(tm) Development Team


Joined: Jun 12, 2004
Posts: 637
Location: Ohio

PostPosted: Thu Aug 02, 2007 8:28 am Reply with quote

Any time you allowed people to upload any type of file to your webspace you open a small door for problems. I would really make sure that these people are very trust worthy. If you laid a $5,000 dollars on the table in front of them and left the room, would the money still be there when you got back..... Smile

Gallery 2 is pretty good I have found, but even then I don't allow just anyone access to upload photos to it. With all the information that is out there about the reasons why not to do this, and you still choose to go ahead, then I wish you the best of luck....Smile
 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Thu Aug 02, 2007 9:37 am Reply with quote

I think I remember looking at NSN Downloads and seeing how they did it. You could try that. I have never used it though, just read through the code once.

You'll want a module that: allows only files less than a certain size, only allows certain file extensions (e.g. .jpg, .gif, but not .exe, or .php), changes the permissions on uploaded files to be non-executable, and hopefully squirrels them away somewhere for admin review. Renaming the newly uploaded file would help also. It could also check the MIME type on the file, but that can be spoofed.

The danger with uploading is that someone could upload a script or program to your server and then execute it either as the webserver process or as another user if they got through another back door. Even with taking the precautions above there is still some risk.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©