Re: [PHP] File Upload Security

Fri, 11 Apr 2008 20:29:16 -0700 

I would recommend something more strong
http://www.php.net/manual/en/function.exif-imagetype.php

or if you dont have exif
http://www.php.net/manual/en/function.getimagesize.php
will do also a trick.
One more thing, you are also allowing .txt and .css which may be potential hole, as Apache can run .css also through PHP engine if configured to do so. Sometimes I use PHP to process CSS so I can have dynamic CSS for some rare cases. 






On Apr 12, 2008, at 2:24 AM, Al wrote:
One of my sites has been hacked and I'm trying to find the hole. The hack code creates dirs with "nobody" ownership, so it's obvious stuff is not via ftp [ownership would be foo] 

Site is virtual host, Linux/Apache

I'm concerned about a file uploader my users use to upload photos.
Can anyone see a hole in this scrip? Can my code upload an executable masquerading as an image file? 

$filetype = array("gif", "jpg", "jpeg", "png", "txt", css")

function csvt_file_upload($filetype, $max_size)
{
$prohibits = array("exe", "php", "inc", "php3", "pl", "bat", "cgi"); //common executables. 
    $absolute_max_size = 2000000;

    end($_FILES); //get the "name" used by the html <input.....
$name = key($_FILES); //could use the register variables, but this is safer. if(isset($_FILES[$name]['name'])) $input_name = $_FILES[$name] ['name']; 

    $error = "no"; //reset for error checks

    if (!isset($filetype)) {
echo "<p style=\"color:red\"> File type assignment missing </p> "; 
            $error = "yes";
    };

    if (!isset($max_size)) {
echo "<p style=\"color:red\"> Max file size assignment missing.</p>"; 
            $error = "yes";
    };

    $filename = $_FILES[$name]['name'];
    $tmp_name = $_FILES[$name]['tmp_name'];
    $size = $_FILES[$name]['size'];

    $absolute_path_file = getcwd(). DATA_DIR . $filename;


    if (($size >= $max_size) OR ($size > $absolute_max_size)) {
        echo "<p style=\"color:red\"> File size is too large.</p> ";
        $error = "yes";
    }
$ext = substr(strrchr($filename, "."), 1); //get the extension, remove the "." 
    if (in_array($ext, $prohibits)) {
echo "<p style=\"color:red\">Illegal file type, executable.</p>\r\n"; 
        $error = "yes";
    }
    if (is_executable($filename)) {
echo "<p style=\"color:red\">Illegal file type, executable file.</p>\r\n"; 
        $error = "yes";
    } //This is a double check in case $prohibits is incomplete.
    if (is_array($filetype) AND !in_array($ext, $filetype)) {
        echo "<p style=\"color:red\">Illegal file type.</p>\r\n";
        $error = "yes";
    }
        if(!is_array($filetype) AND ($filetype != $ext)){
        echo "<p style=\"color:red\">Illegal file type.</p>\r\n";
        $error = "yes";
    }
    if ($error == "yes") {
echo "<p style=\"color:red\">There was an error(s) with your file selection \"$input_name\" as the note(s) indicates. Please reselect, or remove your file selection and email for help. </p>\r\n"; 
    }
        else {
        if(!move_uploaded_file($tmp_name, $absolute_path_file))
die("<p style=\"color:red\">There was an error saving your file. Check permissions of " . DATA_DIR . " Must be 777 </p>\r\n"); 
                
        chmod($absolute_path_file, 0644);
    }

    return;
}

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Igor Jocic
http://www.carster.us/

Reply via email to