General submission upload security

I’m very interested in the method for allowing anyone to submit a new page in Kirby as described in the Allow guests to create pages from Panel or frontend post.

What are the biggest threats to the Kirby CMS that someone could introduce via an online form? And how can we guard against these? (I use the Uniform plugin a lot so would probably use their validation rules for starters)

And because Kirby is a flat-file system, seems like would automatically avoid SQL injection attack potential. (I did find the Kirby escape() method mentioned in Creating pages from frontend, and the csrf() mentioned here.

I think the obvious risk wether or not to allow file uploads - certain file types can be booby trapped.

You probably also want to check that an uploaded file is what it says it is. Just because it has a particular extension does not mean it is that kind of file - it might be an executable file or a zip containing malicious stuff, but masquerading as an image or something. Trusting the file extension is not enough.

Just another thought on file uploads - You could consider using the Dropbox API to upload the files to Dropbox rather then your server - I’m guessing Dropbox has some pretty hardcore malware / threat detection in place. Let them scan for you and sync the safe files back to your server.

1 Like

There are quite a few things to think about on top of what you have already mentioned:

  • file uploads: if you have to allow file uploads, make sure that you get the right file type, never use the original filename for storing the file, ideally upload to a folder outside the web root, check the file with Antivirus software before they are opened, limit the allowed file size etc. Files may contain malicious code that can exploit vulnerabilities, do damage on your server or infect your website visitors.

E.g. If a file contains executable code and the file is stored in a place where the user can access it, he could easily execute that code.

  • text input: when storing the content, make sure you get the information you want using validation. When outputting that content again, make sure that it can’t do any damage, by escaping that code but also be careful before using user input variables in functions (e.g. something like $page->{$uservariable}(), not so nice if the variable says “delete” )etc, as that may lead to unwanted results and can damage your site.

While you don’t run into risks with SQL injection unless you store your stuff in a database, there’s still a lot that can happen.

Further reading:

You can read a lot more on that site about strategies to validate user input etc.

1 Like

@lukehatfield Scratch the Dropbox idea… I am very surprised but it looks like they don’t care at all. They are well placed to help stop the global spread of viruses - it’s crazy that they don’t.

It looks like Onedrive does scan things though, so you maybe able to use that instead.

1 Like