• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
One application for multiple sites, maintainability vs security

#8
[eluser]Bramme[/eluser]
"different clients will be able to access each other’s files, through the disabled basedir restriction on the CMS account. "

I'd just dynamically make subfolders for every users uploads and then let them only access their folder... Hardcode the folder uri in your cms, protect the actual dirs with a .htaccess and I think your set for that problem.

As for the php scripts: I guess you could scan for php and text files, read them into a variable and scan that variable for possible malicious code. If you found something, first display a warning "Caution: your file might contain malicious code, if anything bad happens to your site you are completely responsible". Then if they press "Okay, upload anyway", you move the uploaded file to their dir and keep it there. If they select "don't upload" you offcourse destroy the file...

Also, what I just thought off: if your users can upload css files, make sure the frontend of your application has a securely set mysql user, that can only do a select few queries and only access their own table.


Messages In This Thread
One application for multiple sites, maintainability vs security - by El Forum - 07-22-2008, 03:26 AM

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.