tags:

views:

47

answers:

3
+1  Q: 

What security issues we acquire if we publish a form that lets you upload any type of file into our database?

I am trying to assess our security risk if we allow to have a form in our public website that lets the user upload any type of file and get it stored in the database.

I am worried about the following:

  • Robots uploading information
  • A huge increment of the size of the database
  • The form is an resume upload so HR people will be downloading those files in a jpeg or doc or pdf format but actually getting a virus.
+1  A: 
  1. You can use captchas for dealing with robots
  2. Set a reasonable file size limit for each upload
Brinley Ang  2009-08-27 15:44:28
Captchas do not stop the latest generation of robots. In fact, with the newer robots, the robot can read the captcha easier than a human can in many cases.
BBlake  2009-08-27 17:21:36
A: 

In general, if you really mean to allow any kind of file to be uploaded, I'd recommend:

  • A minimal type check using mime magic numbers that the extension of the file corresponds to the given one (though this doesn't solve much if you are not going to limit the kinds of files that can be uploaded).
  • Better yet, have an antivirus (free clamav for example) check the file after uploading.

On storage, I always prefer to use the filesystem for what it was created: storing files. I would not recommend storing files in the database (suposing a relational database). You can store the metadata of the file on the database and a pointer to the file on the file system. Generate a unique id for the file and you can use a 2-level directory structure to store the data: E.g: Id=123456 => /path/to/store/12/34/123456.data

Said that, this can vary depending on what you want to store and how do you want to manage it. It's not the same to service a document repository, a image gallery or a simple "shared directory"

Ramon Poca  2009-08-27 16:19:25
A: 

You can do multiple checking for your file upload control.

1) Checking the extension of file (.wmv, .exe, .doc). This can be implemented by Regex expression.

2) Actually check the file header or definition type (ex: gif, word, image, etc, xls). Sometimes file extension is not sufficient.

3) Limit the file size. (Ex: 20mb)

4) Never accept the filename provided by the user. Always rename the file to some GUID according to your specifications. This way hacker wont be able to predict the actual name of the file which is stored on the server.

5) Store all the files out of web virtual directory. Preferably store in separate File Server.

6) Also implement the Captcha for File upload.

Rasik Jain  2009-08-27 20:47:18

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security