I made a script for people to upload a file to a server from the internet. The script takes a file, renames it to epoch seconds that correlates to its upload time and stores it in an web inaccessable directory on a webserver eg /upload.

How big is the risk of someone exploiting this script to hack the server? Particularly I'm worried about someone inserting some code into the file that the CPU would execute. Or put "../../../../../etc/passwd" in the file that would capatilize on the "open" or similar command.

I was thinking maybe I should PGP encrypt this file on the server. I'm also making a partition on the server that will just have "upload" data on it; to stop Denial of Service attacks (by filling up my hard drive).

How can I make this more secure? How can this be comprimised?

Here's my code:

#!/usr/bin/perl -w
use strict;
use CGI;

my $upload_dir = "/upload";

my $query = new CGI;

my $filename = $query->param("filename");

my $uldate = time;

$filename =~ s/.*[\/\\](.*)/$1/;

my $upload_filehandle = $query->upload("filename");

open UPLOADFILE, ">$upload_dir/$uldate";

binmode UPLOADFILE;

while ( <$upload_filehandle> )
 {
   print UPLOADFILE;
 }

close UPLOADFILE;

exit;

[download]

In reply to File Upload Script: Security Issue??? by awohld

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.