The first, and easiest step: make sure that you disabled execute permissions
on any directory you write to.
---
Billy Cravens
HR Web Systems, EDS
[EMAIL PROTECTED]
----- Original Message -----
From: "Palyne Gaenir" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 27, 2001 8:35 PM
Subject: cffile - security issues
> Hi List, would appreciate some experienced insight here.
>
> I have an app that allows users to upload files. I would like to be
> certain that they do not upload files capable of running malicious
> code on my server, but leave the file types they are allowed to
> upload, generally "open" otherwise. (1) Is there some kind of list
> of file types to exclude that are considered 'dangerous'? and (2)
> would allowing uploads of java .class files be dangerous?
>
> (3) I have a list I compiled from a mime-types someone posted on this
> list about a year ago, that seems wide enough to span commonly used
> uploads. Does this seem like major overkill to try and stuff all
> this into the "accept" field of a cffile tag?? as follows:
>
> application/http, application/msword, application/pdf,
> application/rtf, application/wordperfect5.1,
> application/x-latex, application/xml, application/zip, image/bmp,
> image/gif, image/png, image/tiff, image/tif,
> image/jpeg, image/jpg, text/html, text/htm, text/asc, text/txt,
> text/richtext, text/rtf, text/tab-separated-values,
> video/mpeg, video/mpg, video/mpe, video/quicktime, video/qt,
> video/mov
>
> (4) A related question. I tried to use CFIF on an insert template,
> to make sure users could not insert files with exe, com, bat, vb etc.
> extensions. I said:
>
> [cfif trim(right(form.resfile,6)) contains
> ('.bat','.exe','.com','.vb')] reject it and say why [/cfif]
> And then I made simple text files with a few chars and named them
> with extensions like .vb for example, and tried to upload -- and the
> .bat just worked (it shouldn't have) and the .vb for example gets
> caught by error-checking as the file field being blank, when it was
> not, it's as if it's getting 'cleared' somehow on submit. Clearly my
> logic is way off on this. Is there a better way to approach it??
>
> Best regards,
> Palyne
>
>
> -------------------------------------------------------------------------
> This email server is running an evaluation copy of the MailShield anti-
> spam software. Please contact your email administrator if you have any
> questions about this message. MailShield product info: www.mailshield.com
>
> -----------------------------------------------
> To post, send email to [EMAIL PROTECTED]
> To subscribe / unsubscribe: http://www.dfwcfug.org
>
-------------------------------------------------------------------------
This email server is running an evaluation copy of the MailShield anti-
spam software. Please contact your email administrator if you have any
questions about this message. MailShield product info: www.mailshield.com
-----------------------------------------------
To post, send email to [EMAIL PROTECTED]
To subscribe / unsubscribe: http://www.dfwcfug.org
