Re: Anonymous Feedback Form: Prevent Malicious Code On Documents
Thanks for the confirmation Bryan, I figure it would be something pretty expensive. I was just curious if there was an open source deal out there. This feedback isn't used THAT much which is probably why we never noticed it being totally open. Matt.. I know that computer forensics folks have access to software that can scan images and essentially look for a certain amount of flesh tones in the images. I have no idea if there is a stripped down utility that could do this (as the software they play with is quite expensive)just letting you know there are more automated methods than humans viewing every image and allowing/dis-allowing ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338852 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Anonymous Feedback Form: Prevent Malicious Code On Documents
As long as you save the file to a directory that has limited execute and script permissions, the file should not ever be executed. If you loaded a PHP file from that directory in your browser you would get prompted to download but it should never execute. Make sure all script mappings on the directory are removed. Of course saving the file in an non-web accessible directory is even a better idea and use CFCONTENT to serve the file as mentioned... -Original Message- From: Matthew Lowrey [mailto:rid...@gmail.com] Sent: November-02-10 10:58 AM To: cf-talk Subject: Anonymous Feedback Form: Prevent Malicious Code On Documents We had an attack yesterday to one of our anonymous uploads we provide for our faculty students to upload documents and some files. We were attacked yesterday (which was partly our fault for having this open to all file types) we have now minimized these files to the best of our ability for this application. The attack yesterday though was a valid file type but had a php script on the document that when read it would somehow give open access to write to our website. These individual(s) changed our footer by inserting a few links in Turkish language that linked to inappropriate sites one can only guess what they had and/or did on them. In our Development Meeting this morning we talked about two points we need to try and accomplish to prevent this from happening again (on top of the security we've already done): 1. Saving files uploaded in a folder that is not open to everyone but secure for only downloading the uploaded material via link of some sort. 2. Some way to scan the content of the file(s) uploaded for malicious code that would cause harmful consequences to our site again. I did some research yesterday on preventing malicious code being uploaded from open anonymous fields (http://www.paulsilver.co.uk/code/coldfusion_file_sandbox_security.php) this was the best I could find. It solves #1 on our list, which we have sort of already done minus using CFCONTENT. I tried to look on HoF and this was the best I could find (http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164) which doesn't really address my problem at all. So, we have come up with a way to make sure the correct extensions and presenting the material back to individuals correctly, but I'm still not convinced this is the best solution to preventing malicious code to come through and make trouble for us again. One other suggestion that was made at the meeting was to email the attached file to our IT department which they will review and approve/disapprove the file. This of course would be the logical way of doing things, but we have individuals who might need the file quicker and I'm confident there's some type of script/software out here that we can implement on top of the human verification that will help us prevent this from happening again. I just wanted to post this to see if any of you had better ideas in your years of experience. I'm confident you have all thought or experienced this in your own business's. I'm also confident that there's a way to use CF to assist in this problem. I just don't have enough knowledge to come up with the best method, yet. :) Thanks in advance! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338762 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Anonymous Feedback Form: Prevent Malicious Code On Documents
Thanks Brook: I agree this looks like the best method so far. I also forgot to mention images, if one was to upload images that were inappropriate, is there a way to 'flag' them or would human verification be the only resort to this type of situation. I want to say there's some way of flagging certain types of images like porno, but I can't remember. I thought there was a way I saw it done while in the military but my memory fails me. As long as you save the file to a directory that has limited execute and script permissions, the file should not ever be executed. If you loaded a PHP file from that directory in your browser you would get prompted to download but it should never execute. Make sure all script mappings on the directory are removed. Of course saving the file in an non-web accessible directory is even a better idea and use CFCONTENT to serve the file as mentioned... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338764 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Anonymous Feedback Form: Prevent Malicious Code On Documents
I know that computer forensics folks have access to software that can scan images and essentially look for a certain amount of flesh tones in the images. I have no idea if there is a stripped down utility that could do this (as the software they play with is quite expensive)just letting you know there are more automated methods than humans viewing every image and allowing/dis-allowing HTH Cheers On Tue, 2010-11-02 at 14:14 -0400, Matthew Lowrey wrote: Thanks Brook: I agree this looks like the best method so far. I also forgot to mention images, if one was to upload images that were inappropriate, is there a way to 'flag' them or would human verification be the only resort to this type of situation. I want to say there's some way of flagging certain types of images like porno, but I can't remember. I thought there was a way I saw it done while in the military but my memory fails me. Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: br...@electricedgesystems.com web: www.electricedgesystems.com Notice: This message, including any attachments, is confidential and may contain information that is privileged or exempt from disclosure. It is intended only for the person to whom it is addressed unless expressly authorized otherwise by the sender. If you are not an authorized recipient, please notify the sender immediately and permanently destroy all copies of this message and attachments. Please consider the environment before printing this e-mail ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338768 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
