Security risks allowing users to upload a css file?

[Bhushan N.N]

Are there any security risks involved in allowing a user to upload a css file?

I will be using the uploaded css file for a preview. Using another HTML template I already have on the server.

[Arno Welzel]

Am 15.05.2013 05:07, schrieb Bhushan N.N:

> Are there any security risks involved in allowing a user to upload a css file?

This depends on the way, how the CSS file is used on the server.

> I will be using the uploaded css file for a preview. Using another HTML template I already have on the server.

So - users can upload a file and this will be used by a
<link rel="stylesheet" type="text/css" href="..." />?

Well - it is possible to use CSS to obfuscate existing elements or even
to load data from other servers. So i would say - yes it is a risk if
you don't validate the CSS. It may not break your server, if it only
sends the data it stored earlier as a result of an upload - but it may
me misused by others to host fake websites on your machine.

--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de

[The Natural Philosopher]

On 15/05/13 04:07, Bhushan N.N wrote:
> Are there any security risks involved in allowing a user to upload a css file?
>
> I will be using the uploaded css file for a preview. Using another HTML template I already have on the server.

Honey, there is a risk allowing user to upload ANYTHING to a server.

Up to and including aTCP packet requesting a page...

Your job is to balance that risk with the reward you get from them for
allowing them to do it.


--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.

[Jerry Stuckle]

On 5/14/2013 11:07 PM, Bhushan N.N wrote:
> Are there any security risks involved in allowing a user to upload a css file?
>
> I will be using the uploaded css file for a preview. Using another HTML template I already have on the server.
>

Uploading files always has security risks. Even connecting to the
internet has security risks. The only way to not have any security risk
is to not have any USB ports, DVD drives, etc. on the machine, lock the
machine in a vault with no connection to the outside world, and don't
give anyone the key. Even then your machine isn't perfectly safe.

Of course, such a machine wouldn't be very useful.

There are always security risks. You need to balance the risks vs. the
rewards.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstu...@attglobal.net
==================

[Denis McMahon]

Yes, css can be used to redirect links to, or load images (or almost
anything else) from third party sites.

It's also possible to obfuscate urls in css files using hexadecimal %xx
codes so that searching for common strings won't find them.

I would be vary wary about allowing third parties to upload their own
unchecked css files to use with my website. I certainly wouldn't allow
such css to subsequently be served from my server without at least a regex
check to look for embedded urls and obfuscated url strings, and probably
a manual inspection as well.

--
Denis McMahon, denismf...@gmail.com

[Bhushan N.N]

Thanks everyone :)