Are these upload scripts safe? solved.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

Are these upload scripts safe? solved.

Post by scarface222 »

Hey guys I have an mp3 and image upload script, almost identical in form just with different checks. I was wondering if anyone could give me security tips on them. Thanks in advance.

Code: Select all

<?php
 
    //file is mp3
if($_POST["selection"]==2){
# edit #
 
    $max_filesize = 5024000;
 
    $uploads = "../usercontent/";
    $types_array = array('audio/mpeg','audio/mpeg3','audio/mpg');
# end edit #
 
if($_FILES['file']['name'] == "")
{
     echo"<script>
alert(\"Please select a file to upload!\");
</script>";
return;
 
}
 
if(!in_array($_FILES['file']['type'], $types_array))
{
     echo"<script>
alert(\"This is not an mp3!\");
</script>";
return;
 
}
 
    $max_filesize_kb = ($max_filesize / 1024);
 
if($_FILES['file']['size'] > $max_filesize)
{
     echo"<script>
alert(\"Your file is too large it must be.$max_filesize_kb.kb\");
</script>";
return;
 
}
 
else{
move_uploaded_file($_FILES['file']['tmp_name'], $uploads.'/'.urlencode($_FILES['file']['name']))
or die ("Couldn't upload ".$_FILES['file']['name']."\n");
 
 echo"<script>
alert(\"File uploaded\");
</script>";
return;
}   
 
}
 
 
//FILE IS IMAGE
if($_POST["selection"]==1){
# edit #
    $maxwidth = 1024;
    $maxheight = 1024;
    $max_filesize = 1024000;
 
    $uploads = "../usercontent/";
    $types_array = array('image/gif','image/jpeg','image/x-png', 'image/jpg');
# end edit #
 
if($_FILES['file']['name'] == "")
{
     echo"<script>
alert(\"Please select a file to upload!\");
</script>";
return;
 
}
 
if(!in_array($_FILES['file']['type'], $types_array))
{
     echo"<script>
alert(\"That file type is not allowed!\");
</script>";
return;
 
}
 
    $max_filesize_kb = ($max_filesize / 1024);
 
if($_FILES['file']['size'] > $max_filesize)
{
     echo"<script>
alert(\"Your file is too large it must be.$max_filesize_kb\");
</script>";
return;
 
}
 
    $imagesize = getimagesize($_FILES['file']['tmp_name']);
 
    $imagewidth = $imagesize[0];
    $imageheight = $imagesize[1];
 
if($imagewidth > $maxwidth || $imageheight > $maxheight)
{
     echo"<script>
alert(\"The resolution is too large files may be up to ".$maxwidth."px x ".$maxheight."px in size\n\");
</script>";
return;
    
 
}
else{
move_uploaded_file($_FILES['file']['tmp_name'], $uploads.'/'.urlencode($_FILES['file']['name']))
or die ("Couldn't upload ".$_FILES['file']['name']."\n");
 
 echo"<script>
alert(\"File uploaded\");
</script>";
return;
}
}
 
 
?>
Last edited by scarface222 on Fri Oct 30, 2009 11:14 am, edited 1 time in total.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Are these upload scripts safe? Advice appreciated.

Post by josh »

No

someone could craft a file called something.php with both valid PHP code and a valid mp3 format ( possibly) and your script would copy the ".php" file as is. It should force the file extension to a known one, to prevent apache from invoking 3rd party modules like PHP on it, when the user requests the URI of the uploaded content
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

Re: Are these upload scripts safe? Advice appreciated.

Post by scarface222 »

Thanks for the response man, but I am kind of an amateur. What could I do to prevent this. Could you maybe give an example? Thanks again.
dhenick
Forum Newbie
Posts: 19
Joined: Tue Oct 20, 2009 10:46 am
Location: Yogyakarta, Indonesia
Contact:

Re: Are these upload scripts safe? Advice appreciated.

Post by dhenick »

josh wrote:No

someone could craft a file called something.php with both valid PHP code and a valid mp3 format ( possibly) and your script would copy the ".php" file as is. It should force the file extension to a known one, to prevent apache from invoking 3rd party modules like PHP on it, when the user requests the URI of the uploaded content
It's call nullbyte hack.
attacker can upload php shell like this SHELL.PHP%00.JPG in system uploader, this file known as Image file, but actually this is PHP Script.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Are these upload scripts safe? Advice appreciated.

Post by josh »

scarface222 wrote:Thanks for the response man, but I am kind of an amateur. What could I do to prevent this. Could you maybe give an example? Thanks again.
Chmod the files to 400 and rename to $filename = uniqid() . time() . '.dat'; or something

Then store them outside of web root
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

Re: Are these upload scripts safe? Advice appreciated.

Post by scarface222 »

Thanks guys, just out of curiosity why store outside of root folder? All my users have folders within the site folder where there data is stored. Should I change it so that there data is outside of the site folder? Also what is the point of unique ids? I saw one script md5 the name of an upload. Thanks again for your help.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Are these upload scripts safe? Advice appreciated.

Post by josh »

That's because you can have a file called foo.php that contains valid PHP that is also a valid mp3, or a valid jpeg, or whatever. If you let them place files with arbitrary names in the web root, it is not secure, they can run arbitrary PHP code then
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

Re: Are these upload scripts safe? Advice appreciated.

Post by scarface222 »

I have one more question. In relation to a unique id, I am not sure what to do because I want to display or play the files at some point that the user uploads so I assume that a php file cannot be accessed through an image reference or mp3 player and when they are uploaded say I md5 them. In the html it is displayed as the md5 hashed name along with the directory, so can't a hacker still just copy and paste this into the url to run the file? Also when I went to digg.com to test something I found an img url and put it in the url
http://digg.com/general_sciences/The_St ... ry_2/s.jpg
isn't this image file in the site directory?
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Are these upload scripts safe? Advice appreciated.

Post by josh »

scarface222 wrote:I have one more question. In relation to a unique id, I am not sure what to do because I want to display or play the files at some point that the user uploads so I assume that a php file cannot be accessed through an image reference or mp3 player and when they are uploaded say I md5 them. In the html it is displayed as the md5 hashed name along with the directory, so can't a hacker still just copy and paste this into the url to run the file? Also when I went to digg.com to test something I found an img url and put it in the url
http://digg.com/general_sciences/The_St ... ry_2/s.jpg
isn't this image file in the site directory?
Its not insecure to have files public, but until you understand content type handlers of apache, and execution privledges on unix, etc.. best to keep it out of web root.
if someone can cull up images by guessing the URL so what? its downloaded into their cache anyways.
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

Re: Are these upload scripts safe? Advice appreciated.

Post by scarface222 »

OK one LAST concern lol. What is the point of a unique id if simply storing the file outside of the root directory will get the job done? Also could pathinfo() be useful in determining file type after the upload?
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Are these upload scripts safe? Advice appreciated.

Post by josh »

since you dont understand how to cleanse your inputs in this context, its best to not use any user input at all.

What if the user created a file someFile.sh

granted it would have to chmod +x to run, so taking this shortcut would not be insecure in itself, but whats to say some other shortcut somewhere else wont provide the ability for them to exploit your permissions.

best to know that the files are all going to be #s with a .dat extension or something like that.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Are these upload scripts safe? Advice appreciated.

Post by VladSun »

There are 10 types of people in this world, those who understand binary and those who don't
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

Re: Are these upload scripts safe? solved

Post by scarface222 »

appreciate it guys. Everyone really helped me out. by the way, excellent article vladsun, really puts things in perspective.
Post Reply