UBB.Developers Forums UBB.threads 7 Development How Do I? is it safe to permit .doc files as attachments?

Hi - For security reasons, I've so far restricted attachments to be jpeg, gif, and txt files. However, for some purposes, it would be nice to permit more general document files, e.g., so that an attachment could include both text and image if needed. Is security threatened by permitting doc files? And I realize I'm showing my limited knowledge by thinking of doc files as files from Word...what type of document files do other word processors make?

Thanks - Tony

I don't think that there would be a security issue to your site. I have .doc files allowed on my site and it always opens them in Word. I think only executable files, like .exe, .php, .cgi, etc, are a direct threat to the site.

Just be aware that .doc files can contain malicious macros. While these won't be a direct threat to your site, it could affect those who download it.

yes, I was thinking about this question some more, and was about to raise the issue of macros (though I didn't remember the name...) It'd be pretty terrible if a malicious person uploaded a file that then messed up a lot of users!

Let's see, for the occasions when a .doc file is really helpful, and if I know the person who wants it as an attachment, can I as administrator add it, after that person has posted the initial message and emailed me the file for attachment? I guess I can just try this, but thought I'd ask...

In a way, it could be easier if users could tell what type of file the attachment was, but - on the other hand - they wouldn't have any way of knowing whether a .doc file was trustworthy, would they? (Of course, current antivirus software would presumably take care of the old problems, but not a new one, huh?)

Thanks - Tony

[6.3.2]

To manually add an attachment 'filename.ext' to post #1234:

1) Place the file in your attachment directory with the name 1234-filename.ext.
2) UPDATE w3t_Posts SET B_File='1234-filename.ext' WHERE B_Number=1234

Ah...thank you. I think I'll have to wait on this until I have the nerve to start doing things with the database! So far I've resisted, because I don't have absolute confidence in how to restore from a backuup, in the unlikely event that should become necessary! I have been doing the occasional backup (using, what is it?, the myphpadmin tool), but I'm still not confident about what one DOES with the resulting file, if you have to use it...

(I've also noticed a tendency to assume we can access the database via the threads admin section, but I can't, and I gather that's characteristic of threads that's running on a shared server...)

Thanks again - Tony

Admin -> SQL Command.

Everyone has access to that with Admin privs.

But not everyone has access to do backups/restores from there.

Right - you can only run queries from the admin menu.

Hey, that sounds interesting! So you mean that even if we don't have full capabilities from the admin menu (because we're on a shared server) we CAN run queries? (...and queries includes making changes such as suggested above to do an attachment FOR a user?)

Thanks - Tony

Correct.

You could, perhaps, use safer file types like PDF or even TXT and RTF. When I manually add files I go about it the lazy way. I upload the file and link it in a post. To soothe your members, you could post that the file has been scanned and guaranteed to be virii-free.

Yes, I've been thinking about these possibilities....though the issue hasn't yet come up on our new board - but undoubtedly it will because some of the issues we discuss have technical content, where illustrations, tables, or even equations are needed, which means a document that has all those things in it. A Word document can, but a txt document (which I do allow) can't.

What I wonder about, also, is a pdf file made FROM a Word document with all those things (illustrations, etc) in it. Do pdf files have any security risks? Presumably it shouldn't have all the issues that come along with microsoft (I started to write microbrain) software that's so integrated...

Of course, most people don't have software for making pdf files (though I do). Is there any free access for conversion that people have for limited use, such as for this purpose? I'm not aware of any, but this would solve the problem of the admin having to be involved, i.e., if a user could make a pdf file from his/her doc file and upload it!

As you say, I can upload a .doc file and then note it has been scanned. That is, of course, not an absolute guarantee, because standard antivirus scanning has it's limitations (particularly for a new virus).

To my knowledge there are no exploits with PDF files, because unlike Word and Excell, they do not have the ability to run macros on your system. I believe PDFs to be safe.

Hi, and thanks...do you (or anyone else) know if there is free access anywhere to convert files to pdf? Tony

hmmm...answer to my own question: goBCL
says it provides free conversion of document files to pdf (or html), as long as the document does not exceed 500KB, which would suffice for many purposes.

Anyone had any experience with this or other such services?