Safe Attachment Extensions Vs. Risky?

[ProCom]

For the setting: "Allowed attachment file extensions"

For those of us that aren't developers (me ) how do we determine the risk-level of different extensions to allow?

zip ?
csv ?
pdf ?
txt ?
xlxs ?
etc?

How "safe" or "risky" are those (and other) extensions to allow uploads?

I read the interwebs about Malware Infection, Injection Attacks, etc. etc. etc.

I want to support uploads to some extent, but not anything where a hacker could super easily cause problems.

Thanks!

 

[Suzanne O]

For the setting: "Allowed attachment file extensions"

For those of us that aren't developers (me ) how do we determine the risk-level of different extensions to allow?

zip ?
csv ?
pdf ?
txt ?
xlxs ?
etc?

How "safe" or "risky" are those (and other) extensions to allow uploads?

I read the interwebs about Malware Infection, Injection Attacks, etc. etc. etc.

I want to support uploads to some extent, but not anything where a hacker could super easily cause problems.

Thanks!

that's not them.

You get malware if you don't protect your computer.

 

[ProCom]

that's not them.

Sorry, I don't understand. Are you saying these extensions above are a non-issue?

You get malware if you don't protect your computer.

I'm less concerned about individual computers and more concerned about something that could happen on the server-side by someone uploading something and being able to execute a command somehow or something else.

 

[digitalpoint]

The server doesn't do anything with attachments as far as trying to executing them. Really simplified, but underneath it all the server simply treats an attachment as a binary string of bytes and sends those bytes out as an HTTP response when necessary (when someone wants to view/download an attachment). The server isn't trying to do anything silly like run a .exe file someone uploaded to see what happens.

That being said, there's nothing done to prevent a user from uploading a malicious file that could then be downloaded and executed by a user to cause issues with their computer. However, your server isn't going to get infected in that case, which is what your question is about.

 

[Suzanne O]

If you have viruses on your computer please go and buy a total cover for internet, devices and desktop.

 

[ProCom]

The server doesn't do anything with attachments as far as trying to executing them. Really simplified, but underneath it all the server simply treats an attachment as a binary string of bytes and sends those bytes out as an HTTP response when necessary (when someone wants to view/download an attachment). The server isn't trying to do anything silly like run a .exe file someone uploaded to see what happens.

That being said, there's nothing done to prevent a user from uploading a malicious file that could then be downloaded and executed by a user to cause issues with their computer. However, your server isn't going to get infected in that case, which is what your question is about.

Thanks, I appreciate that!

I just didn't know if there was a way for someone to upload a specific kind of file, know the URL of that file (in the attachments dir), and then find some way to run, execute, etc. that file that's sitting on the server.

So, taking what I'd see as a worst-case scenario: If I allowed all .exe .sh .bat etc. file types, could a hacker upload the file, and then do some kind of execution, etc?

(again, sorry... the server end is over my payscale).

Again, thanks for the help!

 

[digitalpoint]

Thanks, I appreciate that!

I just didn't know if there was a way for someone to upload a specific kind of file, know the URL of that file (in the attachments dir), and then find some way to run, execute, etc. that file that's sitting on the server.

So, taking what I'd see as a worst-case scenario: If I allowed all .exe .sh .bat etc. file types, could a hacker upload the file, and then do some kind of execution, etc?

(again, sorry... the server end is over my payscale).

Again, thanks for the help!

They could upload it and infect users that downloaded it, but no... unless there's some secret security issue that others don't know about, there isn't a known mechanism to allow unauthenticated end users to execute programs on your server.

 

[ProCom]

Perfect, thank you!!!