Security risk of allowing upload of files? Security risk of allowing upload of files?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Security risk of allowing upload of files?

Started by Magnate, July 16, 2004, 12:06:38 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Magnate

Hi,
My web-admin claims that allowing people to upload files to a directory on the server is a security risk, as it provides write access to anyone that cares to write to the directory.
Does Coppermine provide any checks to ensure that uploaded images aren't actually malicious executables?
Is this something that I really need to worry about?
Cheers,
Magnate

Casper

Coppermine, if setup as standard, does not allow uploads of exectuable type files by users.  Where in config, the file upload types are set to 'ALL', this means all those allowed, not all types regardless.  Users cannot upload filetypes such as html, js, php or any other script.

If you are still worried, you can turn off the uploads of all files except images, in config.

Note, please do not double post.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Joachim Müller

@Magnate: you originally posted your question as a reply to http://forum.coppermine-gallery.net/index.php?topic=7974.0 , so here's the reply I posted there. As you deleted your posting there, my answer might seem "out of place"
Quoteyou're right, you mustn't grant ftp-upload permissions to users; that's not what beanie's question was about: he/she asked how to install coppermine in the first place.

To answer you security concerns: regular uploads within coppermine will only let users upload files the admins defines: neither pictures (jpg/gif/png) nor movies (wmv, avi, mov, swf) or documents (doc, xls, txt) are harmfull to the server, since they are not executable on the server. Potentially harmfull file extensions (that would be a security risk, like php, asp, vb etc.) are not enabled on a default coppermine install, and you're not recommended to add them to the list of allowed file types. The admin should be the only person that is allowed to ftp-upload, and will surely not upload files that are potentially harmfull to his webserver.

GauGau