Totally agree with Chris. Like for example, the code I sent, it will reject anything thats not *.pdf, but rename *.exe to *.pdf and you have a baby ready to take care of, on the server or wherever you are storing.
To me thats, the biggest thing you need to catch apart from other *cleanup* stuff. Its a big and I mean big security issue than anything else. Thanks, <Ajas Mohammed /> http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Thu, Jul 30, 2009 at 5:36 PM, Chris Champion <[email protected]>wrote: > Cool, I will be interested to see what you find. That said, regardless of > what the initial extension is, my point is that you can't think of these > defenses as a way to keep the uploaded binary from *ever* getting on your > server -- but all the defensive tactics you and I and Billy and Ajas are > using are best thought of as deciding what to do with the binary now that > it's there. Using a directory out of the web tree (whether a temp dir or > not) is like having a quarantine area. The most common file-upload exploit > I've heard about is to upload an .exe as if it were a .gif or .jpg, because > if the file isn't quarantined appropriately then viewing the "image" could > execute evil, bad, nasty code from evil, bad, nasty hackers who will come > steal your brains. And money. > > > On Thu, Jul 30, 2009 at 3:09 PM, Mike G <[email protected]> wrote: > >> >> That is a good point, but I don't think CF works that way. I am >> pretty sure that input type=file uploads the file to a file on the >> server with a .tmp extention and THEN cf processes it. The reason I >> think this is that if you try to upload a file that takes longer than >> the web servers http timeout value CF cannot find the file even though >> it is a .tmp in the temp folder. This piques my interest enough (and >> since I have about a 100 websites that do the same thing) that I will >> be doing some hard core testing this evening. I'll post what I find >> out after I am done. >> >> I do do client side checking with JavaScript (with it's inherent >> flaws) to check the ext in the field onsubmit, and if you use cfinput >> type =file in cf8, you may be able to do a regex match server side on >> the file ext; I know that the regex works with a regular input field; >> never tried it with a type=file field to see if it evals BEFORE the >> file upload to a .tmp file. My guess is not. >> >> Will let you know what I find >> >> M >> >> On Thu, Jul 30, 2009 at 2:52 PM, Billy Cravens<[email protected]> >> wrote: >> > I doubt he wants to do that. Then he'd be letting the file onto the file >> > system, which is what he's avoiding to begin with. By restricting the >> file >> > type in the cffile tag, the file never gets saved to the file system, >> and >> > the cffile structure is never set. >> > -- >> > Billy Cravens >> > >> > On Thu, Jul 30, 2009 at 2:28 PM, Mike G <[email protected]> wrote: >> >> >> >> Are you trying to catch on upload, or catching as soon as you start >> >> trying to process the uploaded file. >> >> >> >> If the latter, in the top of your cftry, evaluate cfile.serverfile >> >> extension (don't have the docs in front of me for the exact var that >> >> holds it) If it is not an allowable type, then use cfthrow and throw >> >> a custom exception. Then in you cfcatch, trap for that custom >> >> exception. pretty simple to do. >> >> >> >> On Thu, Jul 30, 2009 at 2:12 PM, Mark Davis<[email protected] >> > >> >> wrote: >> >> > hey gang, >> >> > >> >> > I have some pages where users upload photos and resumes. The mime >> types >> >> > allowed are limited to standard stuff. The page is wrapped in a >> >> > try/catch, >> >> > that currently logs everything to one certain log file. We get a lot >> of >> >> > "errors" where the user is trying to upload an exe as a photo and >> crazy >> >> > stuff like that. I want a specific cfcatch type="" to catch only >> those >> >> > errors for mime type exceptions, handle those one way, then catch >> >> > everything >> >> > else and handle a different way. I have the everything else, but I >> am >> >> > having issues figuring out the mime type catch. anyone? thanks >> >> > >> >> > >> >> > >> >> > Mark Davis | Developer >> >> > >> >> > >> >> > >> ......................................................................................................................... >> >> > >> >> > Round Table Group, Inc. >> >> > >> >> > (281) 717-4575 >> >> > >> >> > [email protected] >> >> > >> >> > www.roundtablegroup.com >> >> > >> >> > >> >> > >> ......................................................................................................................... >> >> > >> >> > >> >> > >> >> > The Leading Authority in Expert Witness Search & ReferralTM >> >> > >> >> > CONFIDENTIALITY NOTE: This e-mail, and any attachments thereto, is >> >> > intended >> >> > only for use by the addressee(s) named in the message originated by >> me >> >> > and >> >> > may contain legally privileged and/or confidential information. If >> the >> >> > reader of this message is not the intended recipient, you are hereby >> >> > notified that any dissemination, distribution or copying of this >> >> > communication is strictly prohibited. If you have received this email >> in >> >> > error, please notify me immediately by telephone and permanently >> delete >> >> > the >> >> > original and any copy of the email, and any printout thereof. Thank >> you. >> >> > >> >> > >> >> > > >> >> > >> >> >> >> >> > >> > >> > >> > >> > >> > > >> > >> >> >> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [email protected] For more options, visit http://groups.google.com/group/houcfug?hl=en -~----------~----~----~----~------~----~------~--~---
