views:

23

answers:

1

I would like to give my web application write access to a particular folder on my web server. My web app can create files on this folder and can write data to those files. However, the web app does not provide any interface to the users nor does it publicize the fact that it can create files or write to files. Am I susceptible to any security vulnerabilities? If so, what are they?

+1  A: 

You are suspectible to having your server tricked into writing malicious files into that location.

The issues that can arrive out of that depend on what happens with that folder.

  • Is it web-accessible?

Then malicious files can be hosted, such as stealing cookies or serving up malware.

  • Is it a folder where applications are executed automatically?

This would be madness. Do not do this.

  • Is just some place where you store files for later processing?

Consider what could happen if malicious files are put there. Malicious PDFs, say, fed into your PDF processing system, and then some PDF bug is executed that causes some malicious code to be executed, and then it's all over.

Basically, the issue you expose yourself to, potentially, is as I said - malicious files in that location. You can think through carefully what happens in that folder, and how exposed it is, and decide for yourself how risky it is.

With those risks identified, you can then decide how to go ahead. And obviously, you probably don't allow direct uploads to that area, so you can consider the risk being significantly less, because you are basically assessing a situation in which someone has identified a bug in your webserver that lets them, without you providing access, telling it to save some file in some place. I'd hazard to say there aren't hundreds of these types of issues. There may be though. Hence the reason it is appropriate to minimise the risk of a file in that folder, by making sure the folder and files therein are used in a restricted way and, if possible, checked to see if they are "good" files.

Noon Silk
Madness? THIS. IS. SPARTA!
webdestroya