Closed raphalanda closed 11 years ago
bduong
commented
11 years ago From what we saw the upload process fails if the user cannot write to uploaded.txt. I was lazy so I chmod 777 it, but Jeff and I saw the python script fail because of denied permissions to that uploaded.txt file
raphalanda
commented
11 years ago uploaded.txt should only be readable by apache I guess, to enable it, I actually never tested it otherwise. I guess its not a big deal if people can read it, but we should make sure that a person can't overwrite it
I'll close the issue once its fixed
bduong
commented
11 years ago Definitely should not be I overwritten... We can make it read only to apache but whoever the apache user is also needs write access. Again we were lazy so we just chmodded it. We could find the correct owner and change the owner of the uploaded.txt...
Not sure exactly how the uploaded.txt was getting updated but whoever was trying to do it didn't have permissions
raphalanda
commented
11 years ago I believe the apache owner is www-data, but since the owner is the same as the server, and we have also given exec permissions to the files directory (in order to let a vulnerability occur), there is no choice but to let uploaded.txt be seen
uploaded.txt is getting updated via the add and remove methods in the upload.py files, you can check them out
I think all we'll need to do is have a check in the upload method that if filename matches "uploaded.txt", return and scrap the upload
Should the uploaded.txt be accessible to everyone? I had it set up so this is simply a utility for the server to ensure only 10 files are saved, and to keep a timestamp. If it's readable, it might be a different vulnerability.
Now, that I think about it though, I may also make so that users can't upload any file called uploaded.txt, to at least make it partially secure.