We are using online Staff application form, added several upload fields (total 7) and increased PHP upload limit to 50Mb. Candidates fill out the form, attach files and Submit the form. Problem: many candidates’ uploaded files are not actually uploaded to the server, even though the form data is saved, file names are visible to the Administrator in the related “Download” link in “Manage Applications” section. Somehow, the data about the files is recorded while files themselves may be missing on the server. May happen because the upload is not finished? Should we make an upload feature more interactive to show the user the upload progress, so they do not browse away while the file is being uploaded?
Security: Public File uploads seem to be prone to plethora of intentional or unintentional attacks https://www.owasp.org/index.php/Unrestricted_File_Upload
What would be the best way to mitigate at least major upload risks in Gibbon, ideally system-wide? e.g. Custom file upload controls with configurable dynamic file checks (size, extension, blacklist etc)? Please let know the status and what you think would help secure this area.
@skuipers I believe this may be the same case as you fixed in the student application form? Do you want to create the same patch for staff application forms so Vic can try it out?
Vic, we have not had any issues with this in terms of security, but the missing files are, we believe, to do with browsers not setting cookies. As mentioned above, Sandra has a fix.
One approach to this issue would be to include a Captcha, which would give protection against automated attacks. Sandra and I have discussed this, but have yet had time to implement anything.
This will only fix potential failed uploads from users who have their browsers set to block cookies. If it’s failing for another reason the patch likely won’t have an effect.
Thank you!
would you consider extending file upload feature to address security and usability issues, for example with the likes of https://blueimp.github.io/jQuery-File-Upload/index.html or http://www.web-development-blog.com/php-upload-script/? If you do not have considerations against, I will ask the programmer to come up with implementation. Let know if not advised/key factors to be considered, suggestions.
My concern: In our area many businesses are attacked with ransomware via popular attachments. Our management are reviewing lots of files daily via Staff application File uploads. We do not have any control of per file size/type/basic security checks before office/management staff opens these files. So far rely on good will of applicants, security of staff computers. Will be happy to improve this area with own resources and your guidelines.
Vic, as our case seems quite different to yours, and time is limited, I am not sure if this is something we can implement right now. But we are happy to work with a programmer you wish to bring in, to discuss the design. Thanks!
Thank you! I applied Sandra’s fix, but the issue remains. BUT, just spotted a pattern: When you select and apply for several positions simultaneously - the files are uploaded and the First vacancy contains correct links to files on the server. The consecutive Vacancies the person applied for contain broken “Download” links. I suspect the system generates a semi-random file name that is only valid for one of the Vacancies applied for.
Thank you! I applied Sandra’s fix, but the issue remains. BUT, just spotted a pattern: When you select and apply for several positions simultaneously - the files are uploaded and the First vacancy contains correct links to files on the server. The consecutive Vacancies the person applied for contains broken “Download” links. I suspect the system generates a semi-random file name that is only valid for one of the Vacancies applied for.