|
Re: Security risks allowing users to upload a css file? [message #181397 is a reply to message #181389] |
Wed, 15 May 2013 10:12 |
Arno Welzel
Messages: 317 Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Am 15.05.2013 05:07, schrieb Bhushan N.N:
> Are there any security risks involved in allowing a user to upload a css file?
This depends on the way, how the CSS file is used on the server.
> I will be using the uploaded css file for a preview. Using another HTML template I already have on the server.
So - users can upload a file and this will be used by a
<link rel="stylesheet" type="text/css" href="..." />?
Well - it is possible to use CSS to obfuscate existing elements or even
to load data from other servers. So i would say - yes it is a risk if
you don't validate the CSS. It may not break your server, if it only
sends the data it stored earlier as a result of an upload - but it may
me misused by others to host fake websites on your machine.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
Re: Security risks allowing users to upload a css file? [message #181399 is a reply to message #181389] |
Wed, 15 May 2013 10:26 |
The Natural Philosoph
Messages: 993 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 15/05/13 04:07, Bhushan N.N wrote:
> Are there any security risks involved in allowing a user to upload a css file?
>
> I will be using the uploaded css file for a preview. Using another HTML template I already have on the server.
Honey, there is a risk allowing user to upload ANYTHING to a server.
Up to and including aTCP packet requesting a page...
Your job is to balance that risk with the reward you get from them for
allowing them to do it.
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|
Re: Security risks allowing users to upload a css file? [message #181401 is a reply to message #181389] |
Wed, 15 May 2013 10:35 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 5/14/2013 11:07 PM, Bhushan N.N wrote:
> Are there any security risks involved in allowing a user to upload a css file?
>
> I will be using the uploaded css file for a preview. Using another HTML template I already have on the server.
>
Uploading files always has security risks. Even connecting to the
internet has security risks. The only way to not have any security risk
is to not have any USB ports, DVD drives, etc. on the machine, lock the
machine in a vault with no connection to the outside world, and don't
give anyone the key. Even then your machine isn't perfectly safe.
Of course, such a machine wouldn't be very useful.
There are always security risks. You need to balance the risks vs. the
rewards.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Security risks allowing users to upload a css file? [message #181404 is a reply to message #181389] |
Wed, 15 May 2013 12:44 |
Denis McMahon
Messages: 634 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Tue, 14 May 2013 20:07:29 -0700, Bhushan N.N wrote:
> Are there any security risks involved in allowing a user to upload a css
> file?
>
> I will be using the uploaded css file for a preview. Using another HTML
> template I already have on the server.
Yes, css can be used to redirect links to, or load images (or almost
anything else) from third party sites.
It's also possible to obfuscate urls in css files using hexadecimal %xx
codes so that searching for common strings won't find them.
I would be vary wary about allowing third parties to upload their own
unchecked css files to use with my website. I certainly wouldn't allow
such css to subsequently be served from my server without at least a regex
check to look for embedded urls and obfuscated url strings, and probably
a manual inspection as well.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|