20

We have a Drupal application developed for sharing files.

  1. We are allowing zip files to be uploaded by logged in departmental user.
  2. We are using Drupal private file system (outside webroot).
  3. We are using php Fileinfo for validation.
  4. Only logged in user will be able to download the file.

Now our security team is not allowing zip uploads saying it is a threat. I want to know the security threats by having this feature and what can I do to prevent it.

msmani
  • 301
  • 1
  • 2
  • 7
  • 2
    A minor point, but if you have no execute permission on the upload folder, you would not be able to provide the files for download - regardless of the permissions of the files. – lynks Apr 04 '13 at 11:44
  • How is the security team "not allowing" zip uploads? Is it a policy issue, or are the uploads crossing a network boundary with a IPS or application firewall that is blocking it? – bonsaiviking Apr 04 '13 at 11:59
  • @lynks my mistake – msmani Apr 04 '13 at 12:36
  • @bonsaiviking They were saying that zip files may contain malicious script and somehow that could get executed and put the application under risk. But I couldn't understand how it will get executed? – msmani Apr 04 '13 at 12:44

4 Answers4

12

One area where ZIP files could present a risk to the application the zip bomb attack. this occurs where an archive is constructed in such a way that when it's opened it consumes a large quantity of space on the server potentially causing it to crash.

It might be possible to mitigate this issue by opening zip files on a dedicated filesystem and then aborting the unzip action if a predetermined maximum size is reached.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
11

There are no security threat. At least not any that are specific to zip files.

The major concerns have already been outlined by other users. However, all of these are either not harmful to the application itself or not specific to zip files.

  1. Zip Bomb attacks, as described by Rory McCune.
    These are only a concern if the files will be unpacked.
  2. Inclusion of malicious content inside of the zip file.
    However, this would only impact entities unpacking and executing files inside the zip file. An Application would not normally do this, but a user might.
  3. Concerns of security exploits or malicious executable
    This is not a concern only with zip files, but with any file extension. A file being marked as executable or not does not prevent it's execution.
user606723
  • 822
  • 5
  • 10
  • They are also saying that if the application is co-hosted with another application then the attacker might upload some mailcious script in my application and somehow reference/execute it via the other application. It is very vague for me to understand how it is possible. – msmani Apr 04 '13 at 12:52
  • 1
    @user1448660, That is certainly possible. If they are able to find security exploit that allows code execution on your application or another application, they will likely be able to execute the uploaded files in any manner they please. This is included in my (3) bullet point. However, they could potentially do this with any file extension. This isn't a concern local to zip files. – user606723 Apr 04 '13 at 12:57
  • @user1448660, keep in mind that if they find a way to do remove code execution, you've already lost. Having a zip file with code they want to execute might be convenient for them, but if they've gotten that far, they'll find another way. – user606723 Apr 04 '13 at 13:04
  • So is there any mechanism to prevent access to files by other application. – msmani Apr 04 '13 at 13:13
  • Make sure that proper security procedures are setup to ensure that the user hosting any other applications have no ability to read the directory in question. Ie. setup user specific to that application. Allow no read access to the directory other than drupal – user606723 Apr 04 '13 at 13:19
10

The problem with a zip is that you aren't really sure what's inside of them. You would need to unzip the contents, scan for virusses and then you know that there aren't any known virusses in them.

Second of all, when fileuploads are in use, you can only allow a certain amount of file extensions (white list rather than blacklist) and you need to verify that the files with this extension are indeed of that type (for instance a .bin changed to .txt). But every type of file can be encapsulated in a zip file. If you whitelist .zip and you don't check the contents, you are actually making the whitelist obsolete. So again you would need to check the contents of the zip file to make sure only a certain type of files are included in them.

So zip would only be feasible in the event that you need to reduce large file uploads that might congest the network. Because to provide security you would still need to unzip them and check the contents. If you are doing this because you are thinking about conserving diskspace, you are better off accepting the files in normal format and then zipping them yourself after you have checked them.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • 2
    Yes I understand this, but this is a security threat for the application user, right?. what our security team is saying that the zip files can be a threat to the application itself, thats what I couldn't understand. Do you know how that is possible?. – msmani Apr 04 '13 at 08:20
  • It's a risk for the server as you are uploading and saving files to your machine which might be malicious. – Lucas Kauffman Apr 04 '13 at 08:25
  • 2
    May I know how a malicious file inside a zip affects the server if we are not unpacking it? – msmani Apr 04 '13 at 12:59
  • Probably it doesn't. – Lucas Kauffman Apr 04 '13 at 13:06
  • 2
    Malicious content in those files is harmless by itself, but having them on your domain is risky since your website might be considered a malware distributor, which can trigger browser warnings or even lead to your hoster terminating their contract with you. – CodesInChaos Oct 08 '13 at 14:27
3

Also zip files are an attack vector vs av engines (actually, every file type parsed by av is a vector). Scenarious of vuln exploitation differ, but they range from something like memory corruption to arbitrary code execution.

fasmotol
  • 31
  • 2