This forum is no longer open and is for reading/searching only.
Please use our new MachForm Community Forum instead.
MachForm Community Forums » MachForm 3
File Upload Security
Started 12 years ago by bjames | 3 posts |
-
My server was recently compromised because somebody was able to upload a file with '.php.tmp' as the extension via MachForms, then run it (this was while using v2.1. I've updated to v.3.3 and have restricted file uploads to only specific types. I came across an old post that said I could define 'UPLOAD_DIR' in config.php to specify a folder outside the document root to upload files to. I tried this and it did not work. The files still load into the data folder. I'm assuming this setting was a v.2 setting only? Is there a way with v.3 to specify upload directory? Do you have any other suggestions for added file uploading security?
Thanks...
Posted 12 years ago # -
Since V3, the config.php has little configuration information beyond the database detail that you need to set there. These days you can set most things from the Admin Panel in your installation of Machform.
Log into your Admin Panel
Go to Settings
In the (red) box "Miscellaneous Settings", click the link "Advanced Options"
Complete the detail in the field "File Upload Folder". This must be the full file path to the folder being used, so I expect you can use a folder sitting one level above/outside above the publicly accessible site root folder.I don't know of anything else you can do other than set the file types allowed for upload, which you have already found, and put in place.
Posted 12 years ago # -
Thanks for the response. That worked perfectly.
Posted 12 years ago #
Reply
You must log in to post.