Subtotal: $17,583.00
I wanted to reach out to Mandeeps and the community to see how others are handling having a file upload on a form. As we have experienced some ransomeware attacks in the past that have targets some of our server environments and specific client websites, we have been working proactively to ensure we are doing everything we can on our end to protect the integrity of the websites and server environment.
That being said we have a few clients that are wanting to have file upload fields to be used on their Live Form, and I have read many articles about simples files that can be uploaded that the file name or something can trigger a script to run on the server once uploaded, or that it could be infected but undetected until a certain action is taken. I have read other article that have proposed other solutions of separating the folder where the files will be stored with the web server to a separate location from the website (which I am not sure that Live Forms can accommodate this) with specific settings for this separate folder like disabling power-shell and other things so scripts could not run from anything in the folder, have a very in-depth article i read that explained some of this, if anyone is interested.
I have also looked into a simple file upload function that we could possibly embed within the Live Form that would actually upload the file to box or something but not the web server. None of these seem like great solutions, and now I am considering for these few forms using something separate like jotform or similar stand along form builder that can be embedded in the site but would not upload the files to the website. This is not the direction I want to go, and will be added expense for my client at an ongoing basis, and we love Live Form and have built some awesome stuff on Live Form, so I wanted to see if this has been a concern of others, and what they have done or how they are handling this. This type of site security is beyond my expertise so looking to see if Mandeeps or others have recommendations or thoughts.
Live Forms supports Folder Providers; so if security is a concern you could do one of the following:
Have there been any developments specific to this concern? We also have a number of Live Forms instances (v7.0.3) allowing anonymous submissions, including file uploads, but there are two specific vulnerabilities that are especially concerning: