chuckylefrek — 2012-07-31T07:18:28-04:00 — #1
I have created a page that allows users to upload videos and I would like to try and make it more secure.
Currently the page is password protected. The password is stored in the php page as a sha1 hash. Therefore when the user enters a password and clicks submit, it compares a hashed version of what they entered with the hashed version hard coded in the php page.
If the passwords match, they are then presented with the form to upload a video.
I have no checks on the file type as the client wants it to accept every video file format and checking for extensions was not that feasible as I imagine there is a large number of possible extensions. So currently any file type is allowed. I don't feel too comfortable about this.
The files are uploaded to a folder in the root called "media" which is currently set to chmod 777 - I am sure it doesn't need to have this much access rights but wanted to at least be sure it works for testing. Would appreciate advice on what chmod setting I should use for this "media" folder.
There is no need to display the videos online in any form. I have created a password protected admin area (just using the shared hosting control panel to set up the password protected directory). The admin area enables the admin to view a list of all videos uploaded and provides a link to each to download a zipped copy of the video. So the admin does not requiire the ability to view the videos online.
So I wondered if there is a way to secure the "media" folder to prevent anyone else viewing or downloading the video files?
Any advice much appreciated.
dklynn — 2012-07-31T18:35:01-04:00 — #2
Why would you enable file execution? Why would you enable file execution for VISITORS? IMHO, 666 is not only appropriate but the safer chmod.
Secure the folder against reading? Subtract 4 from the chmod digits (except yours [OWNER], of course). That should prevent access but I'd move your media directory outside the "webspace" if you really want to ensure that the files are not read by anyone but you (and PHP - so it can ZIP the file for you and move the ZIP file to a location within the "webspace").
chuckylefrek — 2012-08-01T03:13:52-04:00 — #3
I tried to change the permissions of the media folder to 666 but it keeps defaulting to 766 when I review the settings.
Also you recommend moving the media folder outside the webspace - however when I log in via FTP it puts me straight into the root and does not allow me to go up a level. I assume I would need to go up a level to create the media folder outside the webspace?
dklynn — 2012-08-01T23:30:09-04:00 — #4
You've created a user's FTP for your upload. Go back to cPanel and create one for you as the owner of the account and set it to your account's root (not the website's DocumentRoot). Putting "secure" information there (outside the webspace) protects it from access via browsers (albeit, not from FTP using your account's FTP).