Skip to:
Content
Pages
Categories
Search
Top
Bottom

Is Group Documents safe on large sites? Can people upload malicious code/ viruses etc?

  • Avatar of rossagrant
    rossagrant
    Participant

    @rossagrant

    Hi guys,
    I’m due to launch quite a substantial site soon and I’m planning on allowing users to use group documents. I have only allowed PDF, TXT and Word documents so far but I’m worried people could upload dodgy things. Is this possible and can I take any precautions?

    What kind of things in general can you do to protect your site? Do sites easily get hacked etc?
    Thanks
    Ross :)

Viewing 8 replies - 1 through 8 (of 8 total)
  • Avatar of r-a-y
    r-a-y
    Moderator

    @r-a-y

    I haven’t checked the source fully, but it looks like the Group Documents plugin only checks files by extension and not something like the mime-type. So there is a chance that someone could do something “dodgy”; though if you have a decent user base, you won’t have to worry about it.

    @PeterAnselmo – ping!

    Avatar of hkcharlie
    hkcharlie
    Participant

    @hkcharlie

    this is a great question that needs a good answer, you have me questioning the plugin now :-S

    Avatar of Nadie
    Raul Fenossi
    Participant

    @rfenossi

    first you only allow pdf, txt and doc or docx documents setting the mime tipes in your php script tu upload docs, and if is posible try using a server base antivirus if your server have one =)

    Avatar of Peter Anselmo
    Peter Anselmo
    Participant

    @peteranselmo

    Hi @rossagrant, @r-a-y & @hkcharlie,
    Thanks for the good question. So, there are three separate questions here that are slightly but significantly different, and often get merged into one.

    First: ‘Can people upload malicious things?’
    Yes. Say I have a file MyVirus.exe. I can rename it to MyVirus.exe.txt, and upload it to the site. Adding a MIME type check would help significantly, but it’s not foolproof, as the MIME type can also be spoofed. What it would do is take what I would call a “casual” malicious user out of the picture, as only more experienced and/or motivated malicious users are going to go through the trouble of spoofing MIME types. Although this sounds terrible, it’s not as bad as you might think, leading into the next question…

    ‘Will this cause any problems for my website/server?’
    No. This is not much of an issue for several reasons. The main reason is that Apache doesn’t give uploaded files executable permission. So, even if a virus is uploaded, and a user clicks on it, the most likely scenario is that the user will see the source code (which may be a bunch of junk if it’s a binary file). Even if it was a file that the web server could process (like a PHP file or shell script), it still would just display the source.

    ‘Is this a hazard to my users?
    Not Likely. Given the above scenario, Someone malicious would need to rename a file extension, upload it to the site, get people to download it, and get people to change the extension. So, if the user is really dumb, it’s possible. I’d like to think that someone that goes around downloading things and changing extensions from txt to exe would learn their lesson pretty quick.

    I hope that helps. If someone is a security expert, I hope they might add more to the topic, but those are the risks to the best of my knowledge.

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    The OP mentions allowing upload of Word docs so they could contain Macro viruses, I would not be allowing Word docs to be uploaded unless they could be screened in some fashion.

    Avatar of rossagrant
    rossagrant
    Participant

    @rossagrant

    @hnla If I stick to ONLY PDF then is that safe?

    Avatar of Ali Erkurt
    Ali Erkurt
    Participant

    @alierkurt

    @rossagrant Unless someone merges virus to PDF, yes it’s safe :)

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    I get hoping mad when people send me Word files, I hate the presumption that I would have or want bloated MS software, other than the sadly necessary OS. pdf is in terms of this discussion a safe format, Word doc files are not getting uploaded to any server that I can exercise control of, nor – unless a trusted source – do I download Word docs; zips are not that safe either :)

Viewing 8 replies - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.