1

As we know, uploading of executable file is not safe. But if we change extension of file exe to txt, then file get uploaded. How to prevent this??

Ayush3g
  • 155
  • 1
  • 1
  • 6

1 Answers1

1

You can not block the upload of executable files. That's it, there's no way around it. However, you can change the way you think of uploaded files.

First thing you need to do is to know where your users upload files, and then lock down that directory. If you're using Apache, you can prevent it from asking to execute files in a certain directory by adding the following to your http.conf.

<Directory "/var/www/my-upload-dir">
  AllowOverride None
  Options -ExecCGI
</Directory>

Other things you can do include using random names for the files once uploaded, only serving the files via a proxy script and storing the files above your document root.

Finally, a very important thing is to never include, use or import any user-uploaded file.

Adi
  • 44,095
  • 16
  • 138
  • 170
  • Couldn't you block win32 executables by checking each uploaded file for starting with the MZ-Header? – Philipp Feb 13 '14 at 18:19
  • @Philipp Had the OP specified Windows, I'd probably have recommended something like that. However, I did the reasonable and sensible thing by suggesting the general standard approach that works on 66% of the servers in the world. – Adi Feb 13 '14 at 19:01
  • the OP specifically mentioned ".exe". – Philipp Feb 13 '14 at 19:08
  • @Philipp Oho, well in that case you're right. Woohoo! But I'd still wouldn't rely on that, though. The OP wants to prevent the upload of the file altogether. Simply changing the magic number bypasses this detection method. It'd be a neutralized threat, though. – Adi Feb 13 '14 at 19:57