Is this safe? - GoFuckYourself.com

The Duck · 05-07-2009, 06:11 AM

I am running a community driven website where I need to be able to have users submit html files through a contact form with file upload which forwards the file and message to my email. Is this safe or does it pose some kind of security threat if there is a rogue user who decides to upload an html file with malicious code?

I have security apps on my computer I am more concerned if it can hurt my server in some way.

seeandsee · 05-07-2009, 06:16 AM

maybe some java shit can go true, not sure is that just html files or scripting language too.

The Duck · 05-07-2009, 07:22 AM

Quote:

Originally Posted by seeandsee

maybe some java shit can go true, not sure is that just html files or scripting language too.

I will block everything but *.html files but I guess that can be exploited anyway.

grumpy · 05-07-2009, 07:24 AM

why do you need the submission of a complete html file? Easy to install exploits that way.

pornguy · 05-07-2009, 07:30 AM

.htm and .html just incase

The Duck · 05-07-2009, 07:41 AM

Quote:

Originally Posted by grumpy

why do you need the submission of a complete html file? Easy to install exploits that way.

I guess I could just have them submit the code in a text field but we are dealing with complete newbies so I fear they will not know how to extract the code from the html file as stupid as it may sounds.

StaceyJo · 05-07-2009, 10:36 AM

Easy for spammers.

SilentSound · 05-07-2009, 11:38 AM

Take care - if your server is configured in that way, <?php ?> tags will be parsed with HTML files (depends on how you use the files after upload). Strip all code, be it PHP, ASP, etc. And strip ALL javascript. ALL of it.

That should be safe - I would use one more precaution though: don't allow anything referencing outer domains (eg. hotlinking an image for example from domain2.com, where the HTML file is uploaded to domain1.com) - this is a prime candidate for cookie stuffing.

Just my

take care !!!

The Duck · 05-07-2009, 12:56 PM

Quote:

Originally Posted by SilentSound

Take care - if your server is configured in that way, <?php ?> tags will be parsed with HTML files (depends on how you use the files after upload). Strip all code, be it PHP, ASP, etc. And strip ALL javascript. ALL of it.

That should be safe - I would use one more precaution though: don't allow anything referencing outer domains (eg. hotlinking an image for example from domain2.com, where the HTML file is uploaded to domain1.com) - this is a prime candidate for cookie stuffing.

Just my

take care !!!

Awesome, thanks a lot.

SilentSound · 05-07-2009, 01:30 PM

no prob mate, hit me up if you've got some scripting security issues, I have a lot of experience with this

SilentSound · 05-07-2009, 01:32 PM

just one more thought - why don't you get your users to edit HTML online, with an editor? (FCKEditor for example, but there are a lot out there) It would be WAY more safe...

05-07-2009, 06:11 AM	#1
The Duck Adult Content Provider Industry Role: Join Date: May 2005 Location: Europe Posts: 18,243	Is this safe? I am running a community driven website where I need to be able to have users submit html files through a contact form with file upload which forwards the file and message to my email. Is this safe or does it pose some kind of security threat if there is a rogue user who decides to upload an html file with malicious code? I have security apps on my computer I am more concerned if it can hurt my server in some way. __________________ Skype Horusmaia ICQ 41555245 Email [email protected]

05-07-2009, 06:16 AM	#2
seeandsee Check SIG! Industry Role: Join Date: Mar 2006 Location: Europe (Skype: gojkoas) Posts: 50,945	maybe some java shit can go true, not sure is that just html files or scripting language too. __________________ BUY MY SIG - 50$/Year Contact here

05-07-2009, 07:24 AM	#4
grumpy Too lazy to set a custom title Join Date: Jan 2002 Location: Holland Posts: 9,870	why do you need the submission of a complete html file? Easy to install exploits that way. __________________ Don't let greediness blur your vision \| You gotta let some shit slide icq - 441-456-888

05-07-2009, 07:30 AM	#5
pornguy Too lazy to set a custom title Industry Role: Join Date: Mar 2003 Location: Homeless Posts: 62,911	.htm and .html just incase __________________ PornGuy skype me pornguy_epic AmateurDough The Hottes Shemales online! TChicks.com \| Angeles Cid \| Mariana Cordoba \| MAILERS WELCOME!

05-07-2009, 10:36 AM	#7
StaceyJo Confirmed User Join Date: Mar 2008 Posts: 8,960	Easy for spammers. __________________ /_______ WebCashMaker ______\ \| _TeenageDecadence - Young Board Naked Teens. \| \| ____ NonNudeGirls - Female Puberty Photos. ____ \| \| _ HerSelfPics - The ORIGINAL exGF SelfPic site. __ \| \.______ xPosing - Wife Photosharing site. _______./

05-07-2009, 11:38 AM	#8
SilentSound Confirmed User Join Date: Mar 2009 Location: NP-hard Posts: 287	Take care - if your server is configured in that way, <?php ?> tags will be parsed with HTML files (depends on how you use the files after upload). Strip all code, be it PHP, ASP, etc. And strip ALL javascript. ALL of it. That should be safe - I would use one more precaution though: don't allow anything referencing outer domains (eg. hotlinking an image for example from domain2.com, where the HTML file is uploaded to domain1.com) - this is a prime candidate for cookie stuffing. Just my take care !!! __________________ Hosting for those with limited cash

05-07-2009, 01:30 PM	#10
SilentSound Confirmed User Join Date: Mar 2009 Location: NP-hard Posts: 287	no prob mate, hit me up if you've got some scripting security issues, I have a lot of experience with this __________________ Hosting for those with limited cash

05-07-2009, 01:32 PM	#11
SilentSound Confirmed User Join Date: Mar 2009 Location: NP-hard Posts: 287	just one more thought - why don't you get your users to edit HTML online, with an editor? (FCKEditor for example, but there are a lot out there) It would be WAY more safe... __________________ Hosting for those with limited cash