Javascript security on a server

Question

I'm developing a web application where users can upload their files and execute them. I mean, they can upload an html file and then, by click, they can execute it in an iframe inside my web application and see the rendered html.

For security reasons I have denied upload of php files as those could have access to my server and create a mess.

I'm wondering if also with javascript they can create problems, hack my server or whatever... I've read somewhere that myspace have been somehow hacked with javascript files... and I also saw that Wordpress deletes any script on the hosted version. How can JS create problems on a server?

Answer 1

Uploading files from external users that will be parsed/interpreted by your server is HIGHLY dangerous. I strongly suggest you don’t attempt this, and if you must, you must learn more about the security ramifications of this in your particular environment.

To your specific question: How can client-interpreted Javascript cause security issues in your site? (my translation)

While the Javascript itself won’t execute on your server and cannot hurt things directly (making some assumptions about your environment), the Javascript will execute in a user’s web browser using the scope/permissions of your other scripts coming from your server. Usually the security vulnerabilities are caused by tricking the web server to provide the uploaded script on someone else’s session, which gives the attacker access to the sandboxed environment/variables belonging to another user.

There are ways to protect from these vulnerabilities, but it can by tricky and depends on many things in your specific environment. The fact that other major, highly experienced hosting environments (i.e. Wordpress and many others) are blocking this on their own sites, should give you an idea how dangerous it can be.