PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Hey guys I have an mp3 and image upload script, almost identical in form just with different checks. I was wondering if anyone could give me security tips on them. Thanks in advance.
someone could craft a file called something.php with both valid PHP code and a valid mp3 format ( possibly) and your script would copy the ".php" file as is. It should force the file extension to a known one, to prevent apache from invoking 3rd party modules like PHP on it, when the user requests the URI of the uploaded content
someone could craft a file called something.php with both valid PHP code and a valid mp3 format ( possibly) and your script would copy the ".php" file as is. It should force the file extension to a known one, to prevent apache from invoking 3rd party modules like PHP on it, when the user requests the URI of the uploaded content
It's call nullbyte hack.
attacker can upload php shell like this SHELL.PHP%00.JPG in system uploader, this file known as Image file, but actually this is PHP Script.
scarface222 wrote:Thanks for the response man, but I am kind of an amateur. What could I do to prevent this. Could you maybe give an example? Thanks again.
Chmod the files to 400 and rename to $filename = uniqid() . time() . '.dat'; or something
Thanks guys, just out of curiosity why store outside of root folder? All my users have folders within the site folder where there data is stored. Should I change it so that there data is outside of the site folder? Also what is the point of unique ids? I saw one script md5 the name of an upload. Thanks again for your help.
That's because you can have a file called foo.php that contains valid PHP that is also a valid mp3, or a valid jpeg, or whatever. If you let them place files with arbitrary names in the web root, it is not secure, they can run arbitrary PHP code then
I have one more question. In relation to a unique id, I am not sure what to do because I want to display or play the files at some point that the user uploads so I assume that a php file cannot be accessed through an image reference or mp3 player and when they are uploaded say I md5 them. In the html it is displayed as the md5 hashed name along with the directory, so can't a hacker still just copy and paste this into the url to run the file? Also when I went to digg.com to test something I found an img url and put it in the url http://digg.com/general_sciences/The_St ... ry_2/s.jpg
isn't this image file in the site directory?
scarface222 wrote:I have one more question. In relation to a unique id, I am not sure what to do because I want to display or play the files at some point that the user uploads so I assume that a php file cannot be accessed through an image reference or mp3 player and when they are uploaded say I md5 them. In the html it is displayed as the md5 hashed name along with the directory, so can't a hacker still just copy and paste this into the url to run the file? Also when I went to digg.com to test something I found an img url and put it in the url http://digg.com/general_sciences/The_St ... ry_2/s.jpg
isn't this image file in the site directory?
Its not insecure to have files public, but until you understand content type handlers of apache, and execution privledges on unix, etc.. best to keep it out of web root.
if someone can cull up images by guessing the URL so what? its downloaded into their cache anyways.
OK one LAST concern lol. What is the point of a unique id if simply storing the file outside of the root directory will get the job done? Also could pathinfo() be useful in determining file type after the upload?
since you dont understand how to cleanse your inputs in this context, its best to not use any user input at all.
What if the user created a file someFile.sh
granted it would have to chmod +x to run, so taking this shortcut would not be insecure in itself, but whats to say some other shortcut somewhere else wont provide the ability for them to exploit your permissions.
best to know that the files are all going to be #s with a .dat extension or something like that.