This is more of a general question about application security.
We have an application that we would like to allow two things in it. First allow to upload a zip file that will populate and create directories and files (php as well) in the application directory. Those files will be part of the actual application (IE: We upload a zip file and the system populates it into the appropriate directory and then we have a new section in our site, Like all kind of Open Source softwares do it Like wordpress, Joomla except that instead uploading the directories and files manually to the FTP we upload it through a zip file from the ACP and it populates the files and directories into the appropriate directories). Same thing applies to the template views we have. We have them made as PHP files inside a certain directory so if an admin would like to edit them he could do that through the ACP and save it directly into the file. The problem here is again because of the template views directory needs to be chmod for read and write it can lead to a serious security flows.
So my question here is, Under those circumstances what should be done in order to both have those options in the system and yet not causing any potential security holes and flows.
imo the security issues already start with the zip packages. It’s really important who can upload these “extensions” as zip files, who owns the webserver and which library you’re using. E.g. providing your application as a service you need to scan the zip packages with an anti-virus scanner before unpacking! Otherwise your server could be brought to his knees with bad single-character- or folder-depth-packages.
Including uploaded files is a killer though…
If they need to be uploaded via ftp an attacker already "owns" your server and therefore is not interested in exploiting your web application for access. But if he can do this through the webapplication, one hole in the authentication, the upload-form, the extensions mechanism or something else could be enough for him to do harm.
Is your application open source? Could it be practicable to do some kind of package signing? Maybe adding an inclusion-layer to your application for checking files and storing them outside the application/webroot?
Thanks for the comments. Well any open source software out there allows the user who have access to the FTP to upload files into certain directories (such as wordpress with it’s plugins system) so what i wanted to do is remove the hassle for the admin to upload them manually through the FTP and upload just a zip archive through the ACP and then the system will populate the zip file into it’s directories. Basically the entire zip file will have XML files in it usually no file types at all (the system will create those for each file from the XML even images).
My main concern was that i will have to allow writing permissions for the application directory where all the code located, And that’s whats keeping me thinking.
Hope that someone who made something similar will share his experience with it.
i’ve pointed out the difference between ftp upload and web upload of zip packages respectively the unpack of the packages. One manipulated zip archive is able to bring down your webserver.
Personally, i wouldn’t even allow a user the right to directly read files inside the application directory. I’ve experienced that a webserver doesn’t interpret php files cause of internal errors and i could easily download config files etc.
Furthermore i would build an extension layer which fakes the existence of these view etc. files to yii but they are located in another isolated directory.
As far as I can tell, Joomla therefore has its ftp layer. To uplad packages, besides the file you’d like beeing upladed, you have to provide a valid ftp user & password combination (if you didn’t save them in joomlas config). This way, all writing operations will be done by the ftp user instead of by the user the webserver is running as. So the webserver doesn’t need write privileges.
Sorry, I didn’t investigate that feature in depth. I only know I can install extensions within my joomla-installation without having to give write permissions to the webserver for all the folders. Instead, all the files and folders are owned by the ftp user. Other users (like the webserver) only have read permissions (there are some special folders though that need write privileges).
If you try to install a module from within jommla, you are provided a file upload input field and two additional input fields (ftp account username & password). I guess what they do is:
[list=1]
[*]loading up the .zip file
[*]extracting the .zip file (to a temp folder that needs to be writable - but maybe one could also extract to memory)
[*]open a ftp connection (to the server itself, using the connection information you provided)
[*]then simply copy the extracted data via ftp instead of directly copying it using php
