Input Validation-File Upload
File Upload Capability allows a Web user to send a file from his or her computer to the Web server. If the Web application that receives the file does not carefully examine it for malicious content, an attacker may be able to use file uploads to execute arbitrary commands on the server. Arbitrary command execution may allow an attacker access to the server with the permissions of the Web server or script engine user. Additionally, it may be possible to upload viruses or other malware. To Ensure that the following steps are taken to sanitize the file being receive:
1. Limit the types of files that can be uploaded not only by extension but also by content.
a) Check file extensions.
b) Check file content (e.g. MIME type).
To ensure this check the file extension and the MIME type of the file before upload.
2. Do not allow the end user to control the name of the file or location where it is stored on the server.
a) Do not use the existing name of the user’s file.
b) Do not derive the file name from the user name, session ID, or other variables known to the user.
To ensure this change the name of the file before upload e.g. we can use the timestamps as the file name.
3. Ensure that strict permissions are set on both the uploaded file and the directory it is located in.
a) Do not grant execute permissions.
To ensure this add htaccess file security in the public folder. Many options are there to invoke execute permission. One is AllowSymLink(Symbolic Links) or add the following line in the htaccess:
RewriteRule ^img/.*\.(htaccess|htpasswd|ini|phps?|fla|psd|log|sh|zip|exe|pl|jsp|asp|htm|sh|cgi|py)$ - [F]
Above line will stop execution of given file extension in the image folder and there sub directories.
920 total views, 1 views today