-2
How do I create my own server I can upload things to (like google drive) with Ubuntu server
Right now I have a server in my basement with Ubuntu 18.04.1 that is running a program called webmin. it is really good, but I would like something more secure and meant more for just uploading files. Does anyone know of a program for Ubuntu server that sort of works like google drive.
Thanks!
Christian Azzam
Posted 2019-01-10T21:41:21.623
Reputation: 1
0
The first version of this answer linked to an old project that, although very small, turned out to be badly insecure. I'm grateful to @davidgo for looking at the code and pointing out its flaws to me.
Here is an alternative, phpFileManager, "a complete filesystem management tool on a single file". As davidgo points out, it probably has more people looking for potential security flaws. It is also still reasonably short, at 5783 lines of code.
There are also, as mentioned in the comments, larger projects like OwnCloud and Nextcloud. These have many additional features: contact and calendar sharing, photo galleries, and so on. However, they may present a steeper learning curve.
Terrestrials
Posted 2019-01-10T21:41:21.623
Reputation: 16
1Look at Owncloud and Nextcloud for robust host-your-own dropbox like systems. – davidgo – 2019-01-11T01:02:01.577
1That code is beautifully easy to read, and, if I'm reading the PHP correctly - entirely insecure. Look at index.php and you will see that the code to delete files (line 62), creating folders (line 93, uploading files (line 103) all happen before the user is logged in on 116 - in short, I can easily use it to upload arbitrary files and folders, delete arbitrary files WITHOUT HAVING LOGGED IN. Depending on how its configured I could take probably over the webserver that is running this script. Its not a wonder the owner no longer hosts it. – davidgo – 2019-01-11T01:46:35.897
@davidgo Wow thank you for pointing that out. I checked that I can indeed delete a file without logging in. I wonder if the script was actually designed with the intent of creating security holes, given that the author is somewhat anonymous. On the other hand it can only read, write, and delete stuff which is writable by http. I wonder if it is worth saving, as you point out the code is very elegant. – Terrestrials – 2019-01-11T16:54:29.293
Sorry, I meant "it can only write and delete stuff which is writable by http". I also noticed that I can easily list the contents of my home directory by e.g. appending "?path=../../../". So I think some additional checks have to be done before it could be called secure. If you are interested in helping with that then submit an issue to the Github project, otherwise I will probably delete it, as well as this answer. How embarrassing! – Terrestrials – 2019-01-11T17:16:10.333
I could be wrong don't think it is designed with evil intent. The Internet was a VERY different place 12 years ago. Also, the "most helpful" bugs I would have inserted/designed in - like providing a file list reading files and bypassing auth, are not apparent. It wouldn't be hard to fix these issues, but there are A LOT of similar scripts out there already - just Google PHP file manager. I found https://sourceforge.net/projects/phpfm/files/phpFileManager/ which, I suspect has a lot more eyes on it.
– davidgo – 2019-01-11T17:46:47.483@davidgo: OK, thank you for the learning experience. I'll delete the Github project. – Terrestrials – 2019-01-11T18:05:13.763
So you want a gui you can access from the internet to upload files? – Nordlys Jeger – 2019-01-10T21:53:48.743
Yes. Sort of like Webmin, but more met for uploading. – Christian Azzam – 2019-01-10T22:18:03.530