Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

DataObjectManager Module /

Discuss the DataObjectManager module, and the related ImageGallery module.

Moderators: martimiz, UncleCheese, Sean, biapar, Willr, Ingo, swaiba, simon_w

Security and disable_authentication();


Reply


2 Posts   491 Views

Avatar
TimGS

Community Member, 2 Posts

7 July 2011 at 2:24am

Hi,

I got a 302 error from Uploadify when running on a Zeus server, and solved it with UploadifyField::disable_authentication();

To what extent does this comprise a security problem? I presume anyone can upload files and hence cause DoS, but are there any other implications?

thanks,
-- Tim.

Avatar
UncleCheese

Forum Moderator, 4094 Posts

8 July 2011 at 9:09am

Good question. The problem is that the Flash request starts a new session on the server, so you lose your authentication unless you apply some trickery. The trickery doesn't always work, which is why the next best option is to disable the authentication and route the upload to a publicly exposed controller.

If you look at UploadifyUploader.php, you'll see it's a public controller that, in theory, could be gamed to add files to your system. It's unlikely, but possible. If someone created a post request containing "Filedata" and "FolderID", it could be used maliciously, especially if someone was able to upload a script. But in reality you should not have execute permissions on user uploaded files, anyway. Many websites have public-facing forms that feature uploads and deal with these issues all the time.

So that's pretty much it. I'm always looking for better ways to do this, but until HTML5 gets more support, we're kind of stuck with the plethora of concessions we make for Flash originated uploads.

--------------------
SilverStripe tips, tutorials, screencasts and more: http://www.leftandmain.com