 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / September 2006how to secure the file uploading process using form-based upload
Hi, I am using apache commns fileupload to let users to upload their files to a web site. The web site itself is using https protol, so that the file is securely uploade through the internet using the HTML form based uploading process. However, when the file lands on the hard disk of the web server, it is unencrypted. My question is that, if my web site is compromised by some attacker, these files will be exposed to the attacker, is there a way to do the follows: 1) Make the landed file to be encrypted when it is landing (even for the temporary file that the fileuploading process written during the file upload process). 2) Is there any other alternative approach to achieve this, e.g. another libary I can use to make the downloaded file always to be encrypted? Thanks, David > Hi, > [quoted text clipped - 15 lines] > another libary I can use to make the downloaded file always to be > encrypted? How about having the client encrypt the file before uploading it? - Oliver It is not feasible to let the client encrypt our file. Any other suggestions? > It is not feasible to let the client encrypt our file. Any other > suggestions? I think if your server is compromised by attackers, there is nothing you can do on the server side to prevent access to data uploaded to that server. - Oliver > I am using apache commns fileupload to let users to upload their files > to a web site. The web site itself is using https protol, so that the [quoted text clipped - 13 lines] > another libary I can use to make the downloaded file always to be > encrypted? You could have the server side code perform encryption of the file data before it is written out to disk. The crypto implementation classes provided in JDK 1.4+ should be adequate for this purpose. As for temporary files being exposed, I'm not that familiar with the Apache FileUpload API - but you could check if some way of accessing the incoming file data as a stream is available that does not involve creating temporary files - If it is, then you could perform on the fly encryption on the stream, and the data would never appear on disk in its unencrypted form. BK >> I am using apache commns fileupload to let users to upload their files >> to a web site. The web site itself is using https protol, so that the [quoted text clipped - 5 lines] >> these files will be exposed to the attacker, is there a way to do the >> follows: [...] > As for temporary files being exposed, I'm not that familiar with the > Apache FileUpload API - but you could check if some way of accessing the > incoming file data as a stream is available that does not involve creating > temporary files - If it is, then you could perform on the fly encryption > on the stream, and the data would never appear on disk in its unencrypted > form. Well, the data might appear inside of the OS swap file... - Oliver >>> I am using apache commns fileupload to let users to upload their files >>> to a web site. The web site itself is using https protol, so that the [quoted text clipped - 16 lines] > > Well, the data might appear inside of the OS swap file... Still worse, the hacker could replace the servlet code with his own version that writes out an unencrypted copy of the file. :-) So he doesn't have to really depend on whether the OS uses swap files or not. BK Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.