RE:(2) File Upload Security Question

While Ovid has already changed this behavior, I'll give an example for anyone with a similar situation who may be reading the thread:

Using your script (I believe), the user could upload a .htaccess file. The user could also upload a cgi file (for example), that the .htaccess allows to be run, and Poof!, the user now has full access to whatever the webserver id can do (On most systems this is limited, but does include just about everything on the website). In Ovid's example, the user could get access to the database, and twiddle any bits there (grades/scores?)

Comment on RE:(2) File Upload Security Question

Replies are listed 'Best First'.
RE: RE:(2) File Upload Security Question by Anonymous Monk on Jun 13, 2000 at 00:05 UTC
I am also interested in giving users the ability to upload files to my website. Is it safe to allow users to upload a file as long as I name the file myself? I have an art business and I usually do drawings from photos. Ideally, I would like visitors of my site to be able to submit an image file to my site so I could give them a price quote for a drawing (or painting, etc). Do I need to take other precautions as well? Thanks, Rad (an humble newbie in Dallas)	[reply]
RE:(4) File Upload Security Question by swiftone (Curate) on Jun 13, 2000 at 00:15 UTC
Is it safe to allow users to upload a file as long as I name the file myself? In general, yes (be sure to also control _where_ the file is going). Read up on perlman:perlsec and http://www.w3.org/Security/Faq/wwwsf4.html	[reply]
RE: RE:(4) File Upload Security Question by Anonymous Monk on Jun 13, 2000 at 16:34 UTC
Thank you. That is just what I needed to get going. Gratefully, Rad	[reply]
Re^3: (4) File Upload Security Question by Mr.Clean (Initiate) on Mar 10, 2008 at 21:28 UTC