FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.
Home » Imported messages » comp.lang.php » Security risks allowing users to upload a css file?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Security risks allowing users to upload a css file? [message #181404 is a reply to message #181389] Wed, 15 May 2013 12:44 Go to previous messageGo to previous message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma:
Senior Member
On Tue, 14 May 2013 20:07:29 -0700, Bhushan N.N wrote:

> Are there any security risks involved in allowing a user to upload a css
> file?
>
> I will be using the uploaded css file for a preview. Using another HTML
> template I already have on the server.

Yes, css can be used to redirect links to, or load images (or almost
anything else) from third party sites.

It's also possible to obfuscate urls in css files using hexadecimal %xx
codes so that searching for common strings won't find them.

I would be vary wary about allowing third parties to upload their own
unchecked css files to use with my website. I certainly wouldn't allow
such css to subsequently be served from my server without at least a regex
check to look for embedded urls and obfuscated url strings, and probably
a manual inspection as well.

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: changing video source from youtube to my site
Next Topic: Booleans compared to strings
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 30 23:22:59 GMT 2024

Total time taken to generate the page: 0.08279 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.1.3.
Copyright ©2001-2023 FUDforum Bulletin Board Software