Security risk of allowing upload of files?

[Magnate]

Hi,
My web-admin claims that allowing people to upload files to a directory on the server is a security risk, as it provides write access to anyone that cares to write to the directory.
Does Coppermine provide any checks to ensure that uploaded images aren't actually malicious executables?
Is this something that I really need to worry about?
Cheers,
Magnate

[Casper]

Coppermine, if setup as standard, does not allow uploads of exectuable type files by users.  Where in config, the file upload types are set to 'ALL', this means all those allowed, not all types regardless.  Users cannot upload filetypes such as html, js, php or any other script.

If you are still worried, you can turn off the uploads of all files except images, in config.

Note, please do not double post.

[Joachim Müller]

@Magnate: you originally posted your question as a reply to http://forum.coppermine-gallery.net/index.php?topic=7974.0 , so here's the reply I posted there. As you deleted your posting there, my answer might seem "out of place"

you're right, you mustn't grant ftp-upload permissions to users; that's not what beanie's question was about: he/she asked how to install coppermine in the first place.

To answer you security concerns: regular uploads within coppermine will only let users upload files the admins defines: neither pictures (jpg/gif/png) nor movies (wmv, avi, mov, swf) or documents (doc, xls, txt) are harmfull to the server, since they are not executable on the server. Potentially harmfull file extensions (that would be a security risk, like php, asp, vb etc.) are not enabled on a default coppermine install, and you're not recommended to add them to the list of allowed file types. The admin should be the only person that is allowed to ftp-upload, and will surely not upload files that are potentially harmfull to his webserver.

GauGau