Security concerns with uploadify

Question

I just implemented uploadify in my project, and I noticed what seems like an important security issue with the uploading process:

The folder in which the file should be uploaded is provided as a javascript argument, so client-side. If the user changes the script, and fills in a different folder (i.e. "/") for the upload, the file gets uploaded to the different folder.

There is an option in the config to filter the filetypes, but again it's provided on the client side ("fileExt").

So am I wrong to think this could lead to a possible hack? Uploading a php file anywhere in the Web Root and executing it seems easy.

• Is it the desired behavior?
• Should I just cross-check the upload folder in the uploadify.php file?
• Should I send a notice to the uploadify makers?

I'm sure I'm not the first one to think about this. Oh, and the same goes for other config parameters, like sizeLimit and queueSizeLimit.

Answer 1

Just looked at the code (haven't installed it anywhere), and it certainly looks like this is a security problem. Looking at uploadify.php, I see this:

$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';

Which means that passing "/" would put the file in the document root (i.e. the home directory of your website). Of course, the user could easily (for example) pass in a folder parameter like '../../etc' and a file named 'passwd'. Or, more trivially, he could upload a "logo.jpg" to the document root and, hey, now you've got porn for a site logo!

Of course, even if you sandbox the users, there are still lots of potential problems with allowing a user to arbitrarily upload a file to your server. What if they upload a .php file, then go to that file with their browser? They suddenly have the ability to execute arbitrary code on your server!

If you want to do this, you should force the user's uploads into a restricted directory (the realpath function will sanitize the path, in case the user created crazy paths with "../.." or whatever), and you should restrict the types of files allowed (i.e. to only ".jpg", ".gif", ".png" or whatever). Even then, a malicious user could DOS you by filling up your disk quota.

Answer 2

That is indeed a security issue, path traversal. You should email them and ask them to fix it.

Answer 3

Hi, i just want to give my opinion about your post. You forget a important thing in your analyse. Developpers HAVE TO check variables in the server side script. If you use javascript (like uploadify, or your own script) or if you don't use javascript (just a simple FORM in html), YOU HAVE to check the data in the server side script. So no matter if you are using uploadify or not for your security. Don't forget that it's easy to buid HTTP request and send it to the server. So the security of a web application not depends of the client

Thanks for your attention

GUIGUI

Answer 4

You are free to put file anywhere using your server side script and your config. I never use their javascript config for such things.

Answer 5

I know this is a bit old topic, but here's a note from plugin developer:

Given the wide variety of scripting languages, server side validation is up to the users to code. We are developing the plugin to allow those who know what they are doing to use what ever language they want for the front end and back end. And creating new scripts to retrieve information makes it that little bit harder for other users to implement, for example those using aspx, java, codeigniter etc.. would need to rewrite major portions of the plugin.

You can read it full here.

Remember, server validdation is a must! You cannot ignore it, ever. This is what I've learnt reading SO and PHP manual.