What security issues appear when users can upload their own files?
I was wondering what security issues appear when the end user of a website can upload files to the server.
For instance if my website allows the users to upload a profile picture, and one user uploads something harmful instead, what could happen? What kind of security should I set up to prevent attacks like this? I'm talking here about images, but what about the case where a user can upload anything into a file-vault kind of application?
It's more a general question than a question about a specific situation, so what are the best practices in that situation? What do you usually do?
I suppose: type validation on upload, different permissions for uploaded files... what else?
EDIT: To clear up the context, I am thinking about a web application where a user can upload any kind of file and then display it in the browser. The file would be stored on the server. The users are whoever uses the website, so there is no trust involved.
I am looking for general answers that could apply for different languages/framework and production environments.
I'm using Spring Web 4.0.5, Spring Security 3.2.4, Commons FileUpload 1.3.1, Tomcat 7 and I'm getting an ugly MaxUploadSizeExceededException when my upload size limit is exceeded, which results in a
My question is rather theoretical than practical but i think you can answer it :) What are the main (security) issues when a public folder/file has permissions like 777? How can anyone take advantage
I am using the input type='file' multiple element, but do to server side restrictions I can only upload one document at a time. So I am struggling to find a way to do this, while keeping just the sing
** Dumb questions alert ** I created my first Web API project. I would like to test it on my web host, but I can't figure out what files to upload. I tried to upload everything from the HelloWorld fol
What is best practice to ensure only the correct users can see a webpart in Sharepoint 2007? Security Groups, and Audiences have both been suggested to me.
I have an html form, which can be used to upload files. These files are deleted when the user navigates away into another section. Unfortunately, I'm not seeing what can be done if the user decides to
I would like to enable users to upload Word Docs and PDF files to my rails application. My app is similar to a Pinterest app, users can create Pins where they attach a picture followed by a descriptio
In http://msdn.microsoft.com/en-us/library/cc189023(v=vs.95).aspx , What security issues may have if NOT disable events below? When a Silverlight-based application is in full-screen mode, most keyboa
I have a folder in my web server used for the users to upload photos using an ASP page. Is it safe enough to give IUSR write permissions to the folder? Must I secure something else? I am afraid of hac
i have problem with uploading on my own server with nicEdit wysiwyg editor. When you clikc on upload image you will upload image on other site. Here: imgur dot com This is it: http://nicedit.com/demos
I'm creating a form that allows users to upload 11 images, i have 11 input fields for the user can select an image for each. The problem is that i can only upload the images from the first 5 input fie
Is it possible to have a HTML form on server A and have it upload content to server B? Can this be achieved? I am trying to use an iframe with the form starting on the other server, but I need informa
In Java Desktop application, we can allow users to upload files into a folder in the WebServer, something like this File rootDir = new File( /home/bala/temp ) ; if( FileUpload.isMultipartContent( r
I can't seem to be able to upload several files on the same form, when not all are chosen (if I upload all, it works). The relevant code: <form id = form name = form action=<?php echo URLge
I'm trying to create a form where users can save their progress. I have successfully managed to upload files when they are saved, but for some reason the following code leaves the file that was upload
Possible Duplicate: Security threats with uploads I'm allowing users to upload an image to our site. Am I right in thinking I should check the extension of the file .jpg/.jpeg/.gif as well as the mi
I'm considering using FormsAuthentication in my web app. Just how secure is it to specify the users in the web.config that are allowed to use the application? Here is an example of what I am talking a
Is there a way how to select folder when uploading a file or files ? I have 3 or 4 folders. example: User will upload a folder but two files need to be in another folder, so they will select option 2
I use Notepad++ with its NppFTP plugin. I am required to keep local copies up to date, so I edit the local files then upload them to the server. I'm wondering if there is a way for Notepad++ to automa
How to upload files from ASP.NET web application to any web server(linux)..
I have a Python-driven web interface powered by Apache 2.2 with mod_python and Python 2.4. I need to make an asynchronous process appear synchronous to users of this web interface. When users access o
1] I have My Account Page which is accessible after login. Now i have looged in access 'My Account' Page & Logged Out. Now when i clicked on browser back button i'm able to access 'My Account' pag
What are the reasons or security reasons why a URL would be linked this way http://www.sampledemo.com/redirect?id=17&link=http://www.sampledemo.com/manual.php instead of this way http://www.samp
You can upload an individual file with the Admin site. However I have a need to upload at least 1 file, but potentially multiple files, for each object. Sometimes there will be sub-directories with th
Im not super familiar with PHP, I have the following code which allows me to upload a file to the server. how can I make this upload multiple files, in my html I have already added the multiple proper
I have the following html to upload files: <?php echo <pre>; var_dump($_FILES); echo <br />; var_dump($_POST); echo </pre>; ?> <form method=POST ENCTYPE=multipart/f
I am building an application that is using websockets. I am only going to allow authenticated users to open a websocket connection with the server after they have logged in and have been granted a ses
I want to Upload files into rackspace cloud container with API in C# and I am using .net 4.0 version. So, how I can create webrequest for this. Even I successfully created containers with the same req
We all know that chmod 777 is not the best way of making our upload script to work. So i was thinking what would be the best solution when using it. I thought that when the user uploads a file pictur
I'm making my first MVC Project for the school and ran into this problem: I'm building an Classifieds web page where user can upload pictures of what they want to sale, As far as i understand the best
The Issue: when multiple users have access to the same working directory, permissions issues can occur in the meta-data if any git operations are performed. DISCLAIMER: Before you chastise me - I real
I have issue ! I've read somewhere that the maximum value which we may transfer 2GB by IIS 6 but i need to create application using C# which could be able to upload files with size over than 150mb and
I understand that security issues usually come from user inputs which is why I am assuming there is a security hole in the else part of $eFlag!=1. I am not familiar with php so I am not 100% sure what
When I'm trying to upload large files (>10Mb) with a file upload control in my XPages application, I'm always redirected to an error page in my browser, saying The connection to the server was res
I have been stuck on this for a while now and I can't figure out what to do. I know that it will probably involve creating an empty list and then adding the words to the list but I haven't got a clue
Possible Duplicate: Large .PDF Files Not Uploading To MySQL Database as Medium BLOB Via PHP, Files under 2MB Work Fine Running Unix and php5. I have an upload form that allows people to upload any f
I use the jQuery File Upload Plugin (http://blueimp.github.io/jQuery-File-Upload/) to manage my file uploads. It works pretty well. I can detect when each individual file is uploaded and (for example
I am using the standard fedora AMI with the LAMP stack bundled and I want to upload files onto the server from my Windows desktop. What is the normal approach for this? I am not a UNIX admin by any
I'm developing a shopping system where shopmanager should be able to upload files to the system. Those files can the be sold for a fee and should only be accesible through providing a purchase code. T
I am allowing people to upload their project files, I've tightened my security but I just need to get to the simple point. How can I stop execution of any files in the subdirectories they're uploading
What issues / pitfalls must be considered when overriding equals and hashCode?
I have a file upload script which will be available to the general public (eg. not a closed work enviorment) and I'm concered about security: I want to allow any file to be uploaded, each file will be
I have a form whereby Users upload pictures as part of their registration process. But my issue is that, users that save the names of their image with the same name might cause some issues when they v
I've a basic php script set up on a web server to accept xml files received sent via Http post. So far so good. But I'm wondering about security issues and what other things I would need to be aware o
In my view callable, I want users to be able to create a new file called filename like so: @view_config(route_name='home_page', renderer='templates/edit.pt') def home_page(request): if 'form.submitted
I'm implementing an upload form so that my users can upload a background image to my website. I've never really thought about it before, but I presume that a virus could be uploaded in an image format
The official docs say, of the staticfiles serve view: ... this view is grossly inefficient and probably insecure Does this warning apply only to this particular view, or are there security issues in