Jump to:

7938 Posts in 1541 Topics by 945 members

DataObjectManager Module

SilverStripe Forums » DataObjectManager Module » Security and disable_authentication();

Discuss the DataObjectManager module, and the related ImageGallery module.

Moderators: martimiz, UncleCheese, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 451 Views
  • TimGS
    Avatar
    Community Member
    2 Posts

    Security and disable_authentication(); Link to this post

    Hi,

    I got a 302 error from Uploadify when running on a Zeus server, and solved it with UploadifyField::disable_authentication();

    To what extent does this comprise a security problem? I presume anyone can upload files and hence cause DoS, but are there any other implications?

    thanks,
    -- Tim.

  • UncleCheese
    Avatar
    4085 Posts

    Re: Security and disable_authentication(); Link to this post

    Good question. The problem is that the Flash request starts a new session on the server, so you lose your authentication unless you apply some trickery. The trickery doesn't always work, which is why the next best option is to disable the authentication and route the upload to a publicly exposed controller.

    If you look at UploadifyUploader.php, you'll see it's a public controller that, in theory, could be gamed to add files to your system. It's unlikely, but possible. If someone created a post request containing "Filedata" and "FolderID", it could be used maliciously, especially if someone was able to upload a script. But in reality you should not have execute permissions on user uploaded files, anyway. Many websites have public-facing forms that feature uploads and deal with these issues all the time.

    So that's pretty much it. I'm always looking for better ways to do this, but until HTML5 gets more support, we're kind of stuck with the plethora of concessions we make for Flash originated uploads.

    --------------------
    SilverStripe tips, tutorials, screencasts and more: http://www.leftandmain.com

    451 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.