1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

secure php upload?

Discussion in 'BlackHat Lounge' started by Bartman, Mar 29, 2011.

  1. Bartman

    Bartman Power Member

    Joined:
    Apr 24, 2010
    Messages:
    569
    Likes Received:
    131
    hi. I am making a website in which clients will upload their files to my website.
    I have already got a php script for it, its called "File Thingie" (I know, stupid name but great script). The way it will work: I will create a few usernames and passwords. I will require a login page for anyone who wants to upload things. They will need to call me and I will give them their unique username and password. Then, they will use that to upload their stuff.

    BUT
    I am concerned about hackers having access to my server. I have been reading a lot about this and different websites say different things about making it hacker proof. The easiest solution that I came across is below. I got this from some website:

    "The best way of handling file uploads securely is rather than giving writable permissions to users, is to allow the writable permission to apache itself. In this way the apache server has writable permission rather than the user. Just chown the writable folder to apache or nobody and assign 770 permission.

    In this way the public has no access to read or write or execute permissions in the uploads folder. You will notice that apache has rwx and so as the owner. You can safely place the upload folder inside www folder without any concern.

    chown -R apache uploads
    chmod -R 770 uploads "

    I dont quite understand all this technical jargon, but is my understanding correct? if I paste the 2 lines in my .htaccess, then I am safe? I won't have to do anything with the php code itself?

    I dont know guys, I am tired of searching. If you know something better than File Thingie, something more efficient, let me know. Maybe it's better if I don't require login?
     
    Last edited: Mar 29, 2011
  2. kokokos

    kokokos Newbie

    Joined:
    Sep 8, 2010
    Messages:
    23
    Likes Received:
    7
    Occupation:
    IM Full Time
    Location:
    In God's Vagina - Thailand
    First of.. those two lines not for .htaccess file it is commands to be executed on your Linux server. Securing your upload script will take much more effort then just executing two commands. If you are serious about keeping hackers out of your site and you have no Linux sysadmin experience what so ever I suggest you to hire one at least to set things up. Besides that I wouldn't suggest you to use php for file upload, consider to use perl to handle uploads in conjunction with php gui
     
  3. Dexograph

    Dexograph Newbie

    Joined:
    Jan 4, 2011
    Messages:
    42
    Likes Received:
    15
    I don't know how many people on BlackHatWorld would know that.

    I suggest going on a forum specialized for coding and get free help.
    OR, go on HackForums and see if you can get someone who knows their stuff to see if you have any vulnerabilities.
     
    • Thanks Thanks x 1