Currently set to No Index

The Insecurity of Web Upload Forms

Convenience aside, allowing anonymous visitors to upload files to your site is pretty much like opening the gates and telling malicious users it is okay to compromise your server. This puts you, the website owner, in a very tough position when considering that such permissions have become a commonality on today’s internet and has proven to increase business efficiency.

Having the ability to upload files is a regular occurrence on social networking sites such as FaceBook, MySpace and Twitter as well blogs, forums and online banking sites. This feature is also prevalent in corporate portals as it allows end-users to share files with business employees. In these environments, users are permitted to upload documents, pictures, music, videos and several other types of files. The more functionality an end-user is provided with, the greater the probability of creating a vulnerable web application. It is a known fact that many internet users abuse their privileges to gain access to a specific site or compromise a web server.

RELATED:   Can Your Domains Get Hijacked?

During recent tests, security experts have discovered that an alarming number of widely used web applications are not making use of secure upload forms. According to their findings, many of these vulnerabilities were easily detected and exploited, allowing experts to gain full access to the file system on the web server hosting those applications. Most of these vulnerabilities were the direct result of improper security configurations, essentially permitting intruders to roll right in.

Viable Solutions

Below is a list of practices you or your system administrator should enforce when file uploads are allowed to your website or web applications:

– Create an .htaccess file that only permits access to files with allowed extensions

RELATED:   LulzSec’s Hacking Career Slated to End

– Do not the put the .htaccess file in the same directory where the files uploaded by users will be stored. This file should be stored in the parent directory that your visitors do not have access to.

– The average .htaccess file that only allows files such as jpg, jpeg, gif and png files should include the following lines:

< files ~ "^\w+\.(gif|jpe?g|png)$">
order deny,allow
allow from all
< /files>

These lines can be adjusted to suit your own personal needs. Editing the .htaccess file in this manner will not only assure that only these file types are allowed, but also protect you from double extension attacks.

– If at all possible, make sure the files uploaded by users are placed in a directory outside of the server root.

RELATED:   The Basics Of Web Server Security

– Do not allow existing files to be overwritten. This will prevent exploits such as the .htaccess overwrite attack.

– Do not rely solely on client-side validation. This is simply not enough to ensure an adequate level of security. It is advisable to implement both client-side and server-side validation.

Conclusion

There are several ways a malicious user can bypass the security configurations applied to a file upload form. When incorporating such a feature into your web applications, you should make it a priority to follow the best security practices and put them to the test on a regular basis. While this requires a considerable amount of security expertise, it is worth every bit of time to make sure your website is protected.

How-to Start a Blog – Review of the Best 10 Blogging Platforms
How-to Start a Blog – Review of the Best 10 Blogging Platforms

If you want to start a blog as fast as possible, then you need to consider choosing a blogging platform. Thankfully, there are some excellent free and paid blogging platforms...

How Referral Marketing Can Benefit Web Hosts
How Referral Marketing Can Benefit Web Hosts

Even if the niche of web hosts are fully loaded with a lot of companies they are still one of the easiest to promote because you could write your own...

Broken Links: How to Find, Fix, and Benefit from Broken Links
Broken Links: How to Find, Fix, and Benefit from Broken Links

Links are what holds the web together. Essentially, the web is named as such because of the ability for pages and sites to link to other sources and relevant information....

Brand Value & the Most Powerful Brands (with Infographic)
Brand Value & the Most Powerful Brands (with Infographic)

Brand value – everyone wants it, however, only few are able to achieve it. The subject of “brand value” holds a significant position amongst marketers, executives, and entrepreneurs. Let’s discuss...

Reasons why your business should shift to Cloud hosting
Reasons why your business should shift to Cloud hosting

Cloud hosting has been on the rise since its inception. The improvement to your website performance and business efficiency that comes with Cloud hosting is almost tangible.

Why We Love the IT Support Career?
Why We Love the IT Support Career?

In almost all of my posts I was talking about the stressful side of the IT – the long hours, end user issues, migrations, midnight calls and the like. But...

IT Manager: Ways To Show Your Appreciation To Your Team
IT Manager: Ways To Show Your Appreciation To Your Team

Surely your team struggled hard and made things happen. You cannot say “this is what you get paid for” and just leave – you cannot keep your IT staff that...

Feeling Insecure In Your Current Job Position?
Feeling Insecure In Your Current Job Position?

Job security is one of our primary concerns. We everyday we live with the question of whether or not we will be working the next day. Loyalty is not the...

Leave a Reply

Your email address will not be published. Required fields are marked *