File upload vulnerability fix
In response to the characteristics of the file upload vulnerability and the three conditions that must be met, we can block any one condition to achieve the purpose of organizing file upload attacks:
1. The most effective is to directly set the file upload directory as unexecutable. For Linux, revoke the 'x' permission of the directory; in fact, many large website upload applications will be placed on independent storage as static files, It does not parse any dynamic files. First, it is convenient to use the cache to accelerate the reduction of energy consumption, and second, the possibility of script execution is eliminated;
2. File type checking: The whitelist method is highly recommended (it is difficult to bypass if the middleware version is high), combined with MIME Type, suffix check, etc .; in addition, for the processing of the picture, you can use the compression function or the resize function, while processing the picture Destroy the HTML code it contains;
- Use random numbers to rewrite the file name and file path so that users cannot easily access the files they upload;
4. Set the domain name of the file server separately;
Personal experience: In the actual environment, the file storage server should be isolated from the key location as much as possible, so that even if there is a problem, it will not cause very serious consequences. The traceability of this problem is the problem of analysis, so the files are static It is also very fundamental to eliminate the possibility, which is a defensive measure if the attacker uploads.
On the other hand, it is necessary to strictly guard against death when uploading, and to achieve the goal of destroying Trojans by intercepting, destroying, and modifying the attacker ’s files.
(Recently learning these few loopholes is stunned. I want to try to insert something when I see the text box. I accidentally found that the title of the CSDN blog is to automatically delete spaces)
