File upload security with Apache

Question

I believe the problem is pretty common: you want to allow users to upload their files to your server. One common technique to prevent security issue is to check the file extensions to prevent executable files.

But that's pretty innocent, I believe. Users could, for example, upload a php text file so that it can simply print phpinfo(). And it shouldn't just be a problem of PHP - it can be any files that the server wants to execute automatically.

So is there any way to config APACHE so that there's one safe directory (to store statically uploaded files) so that the files in this folder are safe enough not to be executable (which means that when users request such files, they are directly sent to the browsers without any side effect on the server)?

Answer 1

The security problems usually do not come from uploading, but from hosting.

When you host files, you need to

1. serve on a jailed domain so that any cookies or other credentials associated with your main domain do not leak to uploaded HTML/Flash/etc. files. Also, the jailed domain has to be one that JavaScript can't set via document.domain = ... to be a privileged domain.
2. examine the content and reject any that is not of a white-listed type.
3. normalize the content. For example, images can be used to attack machines because most image decoders are not as secure as browsers' image decoders. Normalizing content reduces the attack surface for both binary and textual data by replacing quirky constructs with more commonplace, better tested ones.
4. serve it with proper mime-type and encoding headers that you allow -- don't use the grabbag approach that apache does to infer mime-type. This is necessary to prevent polyglot attacks like gifar or gif/JS or lcamtuf's HTML/JPEG polyglot
5. keep the content away from the rest of your stuff. Believe it or not, there are still people who sudo bash and put . on their PATH, and this behavior enables trojans. It should not be on anyone's PATH, PYTHONPATH, etc. Ideally, there is one apache instance with its own role account that has read access and no other accounts have read access. If your main apache instance can write but can't read these files then it can upload them but can't serve them.
6. don't let the uploader control the file name. See trojan above.

Answer 2

Probably a bad idea in the first place - since they can upload such things as Javascript that could be served from your own domain name, and so able to do anything within the Document Object Model.

Executable viruses will often name themselves as kitten.jpg.exe - and since Windows by defaults hides the final part of a filename, it will just show as 'kitten.jpg' which people will promptly download, click and run.

Google and Yahoo spend a great deal of time and effort to get this right - and they don't allow sucj things easily. Don't do it, and especially don't trust anything you don't explicitly trust.

If you really want to do it - and it's still a pretty bad idea to blindly allow anyone to upload anything they want without checking - then you can at least turn off PHP from being run within Apache

<IfModule mod_php5.c>
  php_value include_path ".:/usr/local/lib/php"
  php_admin_flag engine on
</IfModule>

Answer 3

That's just enough to save your uploaded files in a directory out of your htdocs path.

Answer 4

Checking file extensions is a USELESS technique. Consider someone doing

ren nastyvirus.exe cutekittens.jpg

before doing the upload.

The safest thing for uploads is to drop them somewhere OUTSIDE of your site's document root, so that it is literally impossible to specify a URL which can reach them directly. The only access will be via a script YOU control.