PHP file upload system security implications

Question

i've build a small upload system using PHP, it is working just fine for now however, the problem i have is the way i've got it to work.

I don't have much of a background in security, but is what i'm trying to learn at the moment.

So in order to get the file upload system to work i needed to change the permissions for a folder that i wanted to put the file into.

So i have a windows server, i located the folder > right click > properties > security > edit

Here there is a list of 5 groups

CREATOR
SYSTEM
Administrators
Users
TrustedInstaller

So When i'm uploading a file, it uploads to temps files, then the system moves the file to the right location lets say /vids .

Originally the "Users" group permissions were set to "deny" on the write permission meaning the users group could not write files to this location, this means that when the system tries to move the file it gets a permission error.

So i change the "Users" group write permission to "allow" write and it the file upload and move works just fine. However i am worried that this is bad practice from a security stand point?

From what i would see was that if it has the write permission an attacker could put a script in that location and then execute it, is this correct? If so how do i get around this and make it more secure?

Hey @RobbieMckennie I updated the question and tried to make it a little less vague but i'm struggling a little bit. Is that any better? Thanks. — ragebunny, Jul 22 '13 at 10:01

score 1 · Accepted Answer · answered Jul 22 '13 at 10:31

1

An attacker could certainly upload some form of malicious code and run it, but there are a few ways to mitigate this. Do not allow access to the files directly, but only through some kinda of intermediate script. Restrict uploads to only a selected few file types (image types, or only text files, etc). And if i understand your question, permissions are not the thing to worry about.

answered Jul 22 '13 at 10:31

Robbie Mckennie

1,123
1
8
21

Well the benefit of this system in only trusted users will have access to the upload page (Members on a small company). I only allow uploads of MP4 or mp4 files as well. So the fact that i set that permission isn't a security flaw? the upload system itself could be the potential security flaw? – ragebunny Jul 22 '13 at 10:33
1

Although this is no alternative to getting a professional to pentest your system, i see no gaping security holes. – Robbie Mckennie Jul 22 '13 at 10:35
It's okay, i won't hold you personally responsible if something goes wrong :P Thanks a lot for you help, i really appreciate it. – ragebunny Jul 22 '13 at 10:44

PHP file upload system security implications

1 Answers1