Articles

Tribe Support

Tribe Support's Articles

Rastin Mehr

Rastin Mehr

June 28 2021

Preventing a php shell upload attack in your custom apps

A common form of attacks in applications that allow file upload is when you enable unrestricted file upload without checking the file type against a restricted list of mime-types in your back-end code. 

In the Anahita default installation, the only file uploads happen when a user uploads an avatar, cover image, or photo. In all cases, only certain mime types are allowed. If you are developing custom applications for Anahita that enable file uploads for videos, sound files, or documents, you MUST check the file type in your back-end code and allow only a specific list of mime-types. 

Otherwise, someone could try uploading a PHP shell file that exposes critical information about your server.

Another important tip is to use AWS S3 for storing your uploaded files. The storage is much cheaper, and the performance is much better, but a PHP shell file cannot execute in an AWS S3 bucket. Anahita, by default, stores the uploaded files in the assets directory in the root of Anahita. Use that option only on your development machine for testing your apps. On your Staging and Production servers, DO NOT store uploaded files in the root of your Anahita installation; instead, put all the files in AWS S3 buckets.

#Anahita #AWSS3 #Security #AppDevelopment #MimeTypes

Additional Information

Locations

    Powered by Anahita