cffile help

[AsianOne974]

Please help! I'm a newbie.

My client would like to implement an upload feature on their website. Users would be able to upload files from the client machine to a folder called ‘upload_dir’. I was able to use <cffile> successfully as long as all the restrictions were removed from the folder. But, my client is concerned with security issues involved with having a folder without any restrictions so they would like to create an owner (upload_user) for the folder and only this user will have access to write to the folder. By doing so, <cffile> no longer works.

The site will have numerous users but only certain users will have upload privileges. So if Bob has permission to upload files, how can I do the upload for Bob so that it uses 'upload_user' as the profile to upload to the directory. Is there any way to make this work using <cffile>? If there is, please share. Any help will be greatly appreciated.

AOne

 

[NorthStarDA]

well im not sure if you can do that with CFFILE, but maybe you could have all users upload to 1 directory with CFFILE, then move the file via CFFTP using the current users credentials to the folder that they own.


=========================================
I have not failed. I've just found 10,000 ways that won't work.
Thomas A. Edison

 

[AsianOne974]

Unfortunately, that still will not work because that one folder will not be secure. Thanks.

 

[NorthStarDA]

in what sense would it not be secure? What I mean is, what is your client trying to prevent by having the upload folder locked into only a certain user being able to write to them?

CF runs as local system account (i'm assuming you're on Win) so the CFFILE would add the file using that account (if i remember correctly), if you make the local system account the only user with write privileges to that folder, wouldn't that accomplish the same thing as what you are trying to do: have only 1 user with write privs?

what version of CF do you have, the enterprise version comes with sandbox security- which may help you. If you have standard it's called Resource Security in the admin.


=========================================
I have not failed. I've just found 10,000 ways that won't work.
Thomas A. Edison

 

[AsianOne974]

NorthStarDA,

Thanks for all your help so far. I don't want to be a pain.

To answer your question, the client is concerned with hackers being able to potentially upload and execute files on the server through a remote location other than the website if the folder is not locked to one account.

The server is actually a UNIX box. Will your recommendation still work for UNIX?

This will not work in the current environment because the server contains other sites with other user accounts. But it may be an option when we get a separate box for this site alone. I just need some way to implement uploading on this site with the way the server is currently setup.

Thanks again.

 

[NorthStarDA]

hmm, i've never run CF on Unix so i can't tell you how that would work.

Another thing I'm not clear on is what makes the upload folder any different from any other folder on the system when looking at it from a hacker's standpoint. I can't see how it would be any easier to run a script from that folder than any 1 of the other folders that do have execute permissions.

I'm not a security-guru, so maybe someone more savvy can help you out- it's not a pain, I'd like to know more for my own information.


=========================================
I have not failed. I've just found 10,000 ways that won't work.
Thomas A. Edison