Please login or register.

Login with username, password and session length
Advanced search  

News:

You need/want an older version of sNews ? Download an older/unsupported version here.

Pages: [1] 2

Author Topic: Simple way to disable Upload Functionality (for Security)  (Read 8442 times)

Armen

  • Sr. Member
  • ****
  • Karma: 41
  • Posts: 338
    • http://www.funnydays.ru
Simple way to disable Upload Functionality (for Security)
« on: February 08, 2007, 06:05:06 pm »

If you are, like myself, aware of 'hackers' or just think about the future, I'd recomend use of external programs for uploading files to the server. Snews allows you to do that, but file-by-file and scans the whole directory structure every time. So, if someone gets to this part of administration area, you'll be in trouble - all your work will be exposed: php scripts, hidden areas and so on.

To save yourself, just create the "files" folder in the root of your site. Server will check if the folder exists first on the request, and if the folder exists and is empty or forbidden for listing - a "Forbidden" error will appear. No uploader will be shown or processed.

That's it.
Logged
Now ogres, oh, they're much worse. They'll make a suit from your freshly peeled skin. They'll shave your liver, squeeze the jelly from your eyes... Actually, it's quite good on toast.

Patric Ahlqvist

  • Nobodys perfect, but Im pretty effing close
  • ULTIMATE member
  • ******
  • Karma: 65
  • Posts: 4867
  • I'm a self-made man and worships my creator.
    • p-ahlqvist.com
Simple way to disable Upload Functionality (for Security)
« Reply #1 on: February 08, 2007, 06:15:59 pm »

So you mean if I make a folder called files at my folder, I could logon and try to access my files option in the admin area, but I wouldn't succeed ??

No, you can't mean that as it do not work that way... I see everything nev'theless... Could you explain more in detail, Serp... ?
Logged
"It's only dead fish that goes with the flow... "
Updated

michael kennedy

  • Full Member
  • ***
  • Karma: 3
  • Posts: 207
    • SpektreDesign
Simple way to disable Upload Functionality (for Security)
« Reply #2 on: February 08, 2007, 06:19:21 pm »

Interesting idea. But better yet, why not have sNews generate this folder if the user uses the upload feature?  And then of course, ONLY upload files into this folder?

Oh wait a minute....  because that would still pose a potential security threat!  If the hacker is able to upload any file, into any folder, (even a "files" folder) he can still upload a *script*. A script which has the potential to browse all directories, and even be used as an upload mechanism to upload anything anywhere, even on the root itself.  

I think a better option would be to allow us to enable or disable this "feature" altogether based upon a variable from within the sNews script.

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Simple way to disable Upload Functionality (for Security)
« Reply #3 on: February 08, 2007, 06:21:38 pm »

In function filelist... you can keep certain files-types and folders from being displayed in the File Uploader panel by adding their names to the array strings within the top part of the function. Then... "Bob's Your Uncle!" :)

Quote
// FILELIST FUNCTION
function filelist($mode, $path, $depth = 0) {
// Folders or files you DON'T want displayed... by name
   $ignore = array('cgi-bin', '.htaccess', '.', '..', 'Thumbs.db');
// File extensions you DON'T want displayed... by file-type
   $extension = array('.php', 'html');
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

michael kennedy

  • Full Member
  • ***
  • Karma: 3
  • Posts: 207
    • SpektreDesign
Simple way to disable Upload Functionality (for Security)
« Reply #4 on: February 08, 2007, 06:23:12 pm »

keyrocks, thats true, but most hackers don't really care about files that're already up there.  In the case of sNews they will merely delete currently active articles, or upload files which open a backdoor.

tyee

  • Jr. Member
  • **
  • Karma: 0
  • Posts: 56
Simple way to disable Upload Functionality (for Security)
« Reply #5 on: February 08, 2007, 09:07:23 pm »

Yes, let's be able to totally disable this if desired. Good idea!
Logged

Armen

  • Sr. Member
  • ****
  • Karma: 41
  • Posts: 338
    • http://www.funnydays.ru
Simple way to disable Upload Functionality (for Security)
« Reply #6 on: February 08, 2007, 09:08:59 pm »

Quote from: mike
keyrocks, thats true, but most hackers don't really care about files that're already up there.  In the case of sNews they will merely delete currently active articles, or upload files which open a backdoor.
Exactly. That's why, sometimes, less is more.

Uploading feature is a great addition, when you're far away from your own machine, but it's also one serious potential (In old 1.5.30, for example) flaw.

And yes, files functions sends the "files" request, and the server checks for a folder first... So create a folder and keep it empty... Or dive into the code and disable it from within the script:

Code: [Select]
// Comment this line (around 627)
// case 'files': files(); return; break;

// And replace it with
case 'files': return; break;
No offence, Luka and Mika. Just my casual paranoia.

Quote
Yes, let's be able to totally disable this if desired. Good idea!
But from within the code. If you add such an option to the admin panel it would be virtually useless in case someone gets to your website's admin panel, right?
Logged
Now ogres, oh, they're much worse. They'll make a suit from your freshly peeled skin. They'll shave your liver, squeeze the jelly from your eyes... Actually, it's quite good on toast.

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940
Simple way to disable Upload Functionality (for Security)
« Reply #7 on: February 08, 2007, 09:37:42 pm »

If from code it's still better to have it as hardcoded variable along with other site parameters without representation for change in admin interface. Thus enabling/disabling will be easier.

Anyway if someone gets to functional admin panel - site is at least temporarily damaged.

« Last Edit: September 24, 2007, 01:00:52 pm by codetwist »
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Simple way to disable Upload Functionality (for Security)
« Reply #8 on: February 08, 2007, 11:22:43 pm »

Well.. I would guess that there is no perfect solution. The main objective is to keep any hacker from finding the admin panel in the first plac... and keeping him/her from making use of the database-based username & password to get logged in. We already have these two probabilities covered... in addition to all the extra stuff Mika and Luka have applied. I'm confident enough to go live with 1.5.31 soon. :)
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

michael kennedy

  • Full Member
  • ***
  • Karma: 3
  • Posts: 207
    • SpektreDesign
Simple way to disable Upload Functionality (for Security)
« Reply #9 on: February 09, 2007, 12:32:10 am »

I think braucks comment here is a good hacker deterrent as well.

If the path to the login page is something else besides the default /login/, as it's set from within sNews - the hacker will have no way of finding it yes?

piXelatedEmpire

  • MIA
  • ULTIMATE member
  • ******
  • Karma: 37
  • Posts: 1401
  • currently MIA
Simple way to disable Upload Functionality (for Security)
« Reply #10 on: February 09, 2007, 01:10:32 am »

Quote from: keyrocks
I'm confident enough to go live with 1.5.31 soon. :)
I'll just wait for 1.5.32 :D

Quote from: mike
If the path to the login page is something else besides the default /login/, as it's set from within sNews - the hacker will have no way of finding it yes?
No.  There are tools available that scan a URL and provide you with a list of pages attached to that URL.  If a hacker wants to find your login page, they will.

IMHO the best option at this stage is to hardcode the username and password and NOT store these variables in a database.

That and secure as possible coding techniques, which Luka and Mika are currently working on :)
Logged
my apologies to the sNews crew, but I will be MIA for the forseeable future

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Simple way to disable Upload Functionality (for Security)
« Reply #11 on: February 09, 2007, 01:21:34 am »

Quote from: mike
I think braucks comment here is a good hacker deterrent as well.
If the path to the login page is something else besides the default /login/, as it's set from within sNews - the hacker will have no way of finding it yes?
Yes... that's the 'extra' I use to keep any hacker from finding the admin panel in the first place, along with the hard-coded username and password to override the dbase username & password. In the off-chance that a hacker DID manage to get the login panel displaying... and managed to get the login u-name and p-word from the settings table in the database... they would be useless... as the hard-coded ones override the d-base settings. In a sense... the d-base settings become useless hacker feed.

Now... P-Empire's point is interesting... that there are URL scanners that can scan your URL and pick up all the pages attached to it.  I question whether this is the case. It would make sense if the login panel was a physical page. However... in sNews... the login page & link to it don't physically exist until it is requested... it is only created "on demand"... and it disappears - physically speaking - once the panel leaves the screen. The links to articles and pages are stored in the dbase's articles table, but the link to the login panel is hard-coded and not in a dbase table. For this reason, I doubt the login panel link can be found in a scan of that sort. By all means... correct me if I am wrong. :)
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

piXelatedEmpire

  • MIA
  • ULTIMATE member
  • ******
  • Karma: 37
  • Posts: 1401
  • currently MIA
Simple way to disable Upload Functionality (for Security)
« Reply #12 on: February 09, 2007, 02:03:36 am »

ooooh I didn't think of that keys.. I believe.. touche :D
Logged
my apologies to the sNews crew, but I will be MIA for the forseeable future

mike1

  • Full Member
  • ***
  • Karma: 6
  • Posts: 199
Simple way to disable Upload Functionality (for Security)
« Reply #13 on: February 09, 2007, 05:09:39 am »

another option would be to set the file extensions allowed (ie only .pdf, .doc, .mp3) and disallow (.php, .cgi etc) files to be uploaded, hardcoded of course.  im not sure if this is already in the 1.5.31 core because i havent looked at it, but im reasonably certain it wasnt in 1.5.30.

im just posting an option i havent seen already (ie i personally wouldn't need the option, but its just an idea)
Logged

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Simple way to disable Upload Functionality (for Security)
« Reply #14 on: February 09, 2007, 05:14:35 am »

Quote from: keyrocks
Quote from: mike
I think braucks comment here is a good hacker deterrent as well.
If the path to the login page is something else besides the default /login/, as it's set from within sNews - the hacker will have no way of finding it yes?
Yes... that's the 'extra' I use to keep any hacker from finding the admin panel in the first place, along with the hard-coded username and password to override the dbase username & password. In the off-chance that a hacker DID manage to get the login panel displaying... and managed to get the login u-name and p-word from the settings table in the database... they would be useless... as the hard-coded ones override the d-base settings. In a sense... the d-base settings become useless hacker feed.

Now... P-Empire's point is interesting... that there are URL scanners that can scan your URL and pick up all the pages attached to it.  I question whether this is the case. It would make sense if the login panel was a physical page. However... in sNews... the login page & link to it don't physically exist until it is requested... it is only created "on demand"... and it disappears - physically speaking - once the panel leaves the screen. The links to articles and pages are stored in the dbase's articles table, but the link to the login panel is hard-coded and not in a dbase table. For this reason, I doubt the login panel link can be found in a scan of that sort. By all means... correct me if I am wrong. :)
As I understand it, if it can be presented to the web browser, it can be found. It might not be identified using a word search, so any automated mass hack may pass you by, but if it is a site by site hack by an individual, it will be found and used.
Logged
Of all the things I have lost, it is my mind that I miss the most.
Pages: [1] 2