FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Security risks allowing users to upload a css file?
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Security risks allowing users to upload a css file? [message #181389] Wed, 15 May 2013 03:07 Go to next message
Bhushan N.N is currently offline  Bhushan N.N
Messages: 7
Registered: May 2013
Karma: 0
Junior Member
Are there any security risks involved in allowing a user to upload a css file?

I will be using the uploaded css file for a preview. Using another HTML template I already have on the server.
Re: Security risks allowing users to upload a css file? [message #181397 is a reply to message #181389] Wed, 15 May 2013 10:12 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Am 15.05.2013 05:07, schrieb Bhushan N.N:

> Are there any security risks involved in allowing a user to upload a css file?

This depends on the way, how the CSS file is used on the server.

> I will be using the uploaded css file for a preview. Using another HTML template I already have on the server.

So - users can upload a file and this will be used by a
<link rel="stylesheet" type="text/css" href="..." />?

Well - it is possible to use CSS to obfuscate existing elements or even
to load data from other servers. So i would say - yes it is a risk if
you don't validate the CSS. It may not break your server, if it only
sends the data it stored earlier as a result of an upload - but it may
me misused by others to host fake websites on your machine.

--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: Security risks allowing users to upload a css file? [message #181399 is a reply to message #181389] Wed, 15 May 2013 10:26 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
On 15/05/13 04:07, Bhushan N.N wrote:
> Are there any security risks involved in allowing a user to upload a css file?
>
> I will be using the uploaded css file for a preview. Using another HTML template I already have on the server.
Honey, there is a risk allowing user to upload ANYTHING to a server.

Up to and including aTCP packet requesting a page...

Your job is to balance that risk with the reward you get from them for
allowing them to do it.


--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
Re: Security risks allowing users to upload a css file? [message #181401 is a reply to message #181389] Wed, 15 May 2013 10:35 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 5/14/2013 11:07 PM, Bhushan N.N wrote:
> Are there any security risks involved in allowing a user to upload a css file?
>
> I will be using the uploaded css file for a preview. Using another HTML template I already have on the server.
>

Uploading files always has security risks. Even connecting to the
internet has security risks. The only way to not have any security risk
is to not have any USB ports, DVD drives, etc. on the machine, lock the
machine in a vault with no connection to the outside world, and don't
give anyone the key. Even then your machine isn't perfectly safe.

Of course, such a machine wouldn't be very useful.

There are always security risks. You need to balance the risks vs. the
rewards.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Security risks allowing users to upload a css file? [message #181404 is a reply to message #181389] Wed, 15 May 2013 12:44 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Tue, 14 May 2013 20:07:29 -0700, Bhushan N.N wrote:

> Are there any security risks involved in allowing a user to upload a css
> file?
>
> I will be using the uploaded css file for a preview. Using another HTML
> template I already have on the server.

Yes, css can be used to redirect links to, or load images (or almost
anything else) from third party sites.

It's also possible to obfuscate urls in css files using hexadecimal %xx
codes so that searching for common strings won't find them.

I would be vary wary about allowing third parties to upload their own
unchecked css files to use with my website. I certainly wouldn't allow
such css to subsequently be served from my server without at least a regex
check to look for embedded urls and obfuscated url strings, and probably
a manual inspection as well.

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
Re: Security risks allowing users to upload a css file? [message #181407 is a reply to message #181389] Wed, 15 May 2013 15:14 Go to previous message
Bhushan N.N is currently offline  Bhushan N.N
Messages: 7
Registered: May 2013
Karma: 0
Junior Member
Thanks everyone :)
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: changing video source from youtube to my site
Next Topic: Booleans compared to strings
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 06:00:53 GMT 2024

Total time taken to generate the page: 0.02209 seconds