2

I've developed a web application that lets the users to upload images and transform them to later download them again transformed. I obviously had to give apache user permissions to the directory where users can upload:

$ chown root:www-data uploadFolder
$ chmod 1775 uploadFolder

This, gives apache group all permissions, except removing.

The application creates a directory for each user session inside the uploadFolder directory with 0700 permissions, and saves the user's images inside.

The uploadFolder is inside the application directory.

When the image is uploaded, it is served directly (like a link) to the client.

A crontab job is executing a script every 20 minutes, that checks which sessions are active and removes all files and folders inside uploadFolder that doesn't match any active session.

It's working fine since two months ago, but I'm not sure if it could be dangerous for my application, database, or other sites in the same VPS.

Does anybody know the risk of being permissive in this situation?

Is there any alternative to avoid it?

This is my apache site configuration:

<VirtualHost *:80>
ServerName www.itransformer.es
ServerAlias itransformer.es *.itransformer.es
DocumentRoot /siteFolder
<Directory /var/www/itransformer-2.0/web>
   AllowOverride all
   Options -Indexes
</Directory>
</VirtualHost>

Added this snippet code to Apache site configuration: (this should avoid reading .htaccess files)

<Directory /uploadFolder>
   AllowOverride none
   Options -Indexes
</Directory>
Improve this question
10
  • If the server is shared amongst different apps/users, then anybody who can upload scripts that the webserver can execute has full control over those directories, and can do whatever they want to them. You can look into things like suphp and the like to force php to run as a specific user.
    – Doon
    Commented Sep 16, 2013 at 12:48
  • Theoretically, users can just upload 3MB file size images to the specific directory, because of validation. How could anybody upload anything else?
    – Manolo
    Commented Sep 16, 2013 at 13:01
  • I meant if the server is shared and other people can upload code etc. all applications on the server run www-data so if there are other applications that you don't control that run as the webserver you need to be mindful. but if you are in control over everything on the server (IE it isn't shared, / you trust ever server (Not application) user, then the risk is minimized.
    – Doon
    Commented Sep 16, 2013 at 13:16
  • I don't see how chmod 1775 denies file removal. If you can write, you can remove as well...
    – Calimo
    Commented Sep 16, 2013 at 13:25
  • No, you can't due to sticky bit.
    – Manolo
    Commented Sep 16, 2013 at 14:15

1 Answer 1

Reset to default
1

You should first understand that security is a process, and you need to keep it in mind at all stages, and at all levels, of your development. Read and understand the OWASP Top 10 application security flaws and review your code with them in mind, both globally (your whole application) and locally (the individual parts of your application). Of course there are other security flaws so you should document yourself about it.

It is not possible to give good advice on this topic without any code and with only a very general and imprecise description as you are doing here. In your case I would especially watch for directory traversal, XSS, etc, but remember the risk can come from everywhere in your application.

In practice you probably want to run apache in a chroot jail, and I would also upload the folders with some randomly-generated names rather than the name provided by the users (it appears from the updates of your question that you are already doing that indeed). All in all, remember that will just make any flaw you may still have more difficult to exploit, but not prevent them altogether.

Improve this answer
13
  • I've never set a chroot jail. Just seen the reference: en.wikipedia.org/wiki/Chroot . Could you post a good reference of how to do this?
    – Manolo
    Commented Sep 16, 2013 at 14:24
  • Added a link, it's pretty easy with mod_security, unless you have additional dependences (could be the case with your transformation process).
    – Calimo
    Commented Sep 16, 2013 at 16:30
  • I have a problem when trying to show the images. The server cannot access the folder outside the Document Root. How should I do this?
    – Manolo
    Commented Oct 5, 2013 at 8:48
  • You need to check the permissions on the folder. The script (usually running as the same user as the server, typically www-data or apache) must have write access to it.
    – Calimo
    Commented Oct 6, 2013 at 18:38
  • I guess I'm wrong when trying to access to a folder outside the server directory. It should be outside the document root but inside the server directory. Isn't it?
    – Manolo
    Commented Oct 7, 2013 at 8:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .