<<< Back to the TFU FAQ
13. Howto use the flash standalone version in a secure way!
Important - only for the standalone version!
First of all you should update to at least TFU 2.7.1! Some checks where only made in the flash and not on the server side. Since 2.7.1 every possible input parameter is checked and validated the same way the flash does.
But you still have to integrate the flash properly into your environment to have a secure setup. Basically there are 2 usages of the flash:
- Completely standalone with the build in login mechanism:
If you use this way then $login is set to "auth" and you don't have a problem because the check if the login is o.k. is done properly. Calling e.g. the tfu_upload.php does not work because the user is not logged in!
- Integrated into any kind of website that has any kind of login mechanism (CMS, simple page with login form ...) :
Lets asume the following scenario: You have a website where you have a protected area and you want to integrate the flash there. You use a login to get to this site and have $login="true" set in tfu_config.php. You think this should be enough because no one can call the flash! This is not true at all! If anyone knows the location of the uploader he can directly call the flash and even upload files directly by sending faked request like the flash does! You have only made the site where the flash is in secure - not the flash itself!
The solution is very simple! You have to check if this user that calles the flash is authorized! You have to check your system if the login was made properly and set this in tfu_config.php (since 2.7.5 tfu_login.php).
The simplest way is:
- Set a session variable after you have sucessfully logged in into your main website (This is normally done anyway).
Please note: If you pass variables over the session the flash parameter session_id is mandatory because Firefox does not handle this properly otherwise!
- Get this variable in tfu_config.php (since 2.7.5 tfu_login.php) with $_SESSION['<your variable>'] and add this check to the line where you find isset($_POST["twg_user"]).
By default this line looks like:
if ( isset($_POST["twg_user"]) && isset($_POST["twg_pass"])){
Afterwards something like:
if ( isset($_POST["twg_user"]) && isset($_POST["twg_pass"]) && isset($_SESSION['<your variable>'])){
You can of course do more than simply checking if the variable exists. You can e.g. get this variable and check in your db is it is o.k. It's up to you and your existing system how you solve it! Only be aware that you have to do something!
If you have the flash accessible for everyone make sure that ony the file extensions that cannot harm you can be uploaded. Since 1.7.1 this extensions are checked in the flash AND on the server side again. If you use the flash like this you have to update!
TWG and JFU are checking the internal login already! Therefore you don't have a problem there! I still stongly recommend an update to the latest version (TWG 1.7.1 and JFU 2.7.1) because you still have the issue that not all parameters are checked and users that are authorized can fake requests! The minimum you should do is not allow users to rename files!
I'll provide update files for TWG which makes updating much easier on the download page!
|