I just implemented uploadify in my project, and I noticed what seems like an important security issue with the uploading process:
The folder in which the file should be uploaded is provided as a javascript argument, so client-side. If the user changes the script, and fills in a different folder (i.e. “/”) for the upload, the file gets uploaded to the different folder.
There is an option in the config to filter the filetypes, but again it’s provided on the client side (“fileExt”).
So am I wrong to think this could lead to a possible hack? Uploading a php file anywhere in the Web Root and executing it seems easy.
- Is it the desired behavior?
- Should I just cross-check the upload folder in the uploadify.php file?
- Should I send a notice to the uploadify makers?
I’m sure I’m not the first one to think about this. Oh, and the same goes for other config parameters, like sizeLimit and queueSizeLimit.
Just looked at the code (haven’t installed it anywhere), and it certainly looks like this is a security problem. Looking at uploadify.php, I see this:
Which means that passing “/” would put the file in the document root (i.e. the home directory of your website). Of course, the user could easily (for example) pass in a folder parameter like ‘../../etc’ and a file named ‘passwd’. Or, more trivially, he could upload a “logo.jpg” to the document root and, hey, now you’ve got porn for a site logo!
Of course, even if you sandbox the users, there are still lots of potential problems with allowing a user to arbitrarily upload a file to your server. What if they upload a .php file, then go to that file with their browser? They suddenly have the ability to execute arbitrary code on your server!
If you want to do this, you should force the user’s uploads into a restricted directory (the realpath function will sanitize the path, in case the user created crazy paths with “../..” or whatever), and you should restrict the types of files allowed (i.e. to only “.jpg”, “.gif”, “.png” or whatever). Even then, a malicious user could DOS you by filling up your disk quota.