Page 1 of 1

Are these upload scripts safe? solved.

Posted: Mon Oct 26, 2009 3:37 pm
by scarface222
Hey guys I have an mp3 and image upload script, almost identical in form just with different checks. I was wondering if anyone could give me security tips on them. Thanks in advance.

Code: Select all

<?php
 
    //file is mp3
if($_POST["selection"]==2){
# edit #
 
    $max_filesize = 5024000;
 
    $uploads = "../usercontent/";
    $types_array = array('audio/mpeg','audio/mpeg3','audio/mpg');
# end edit #
 
if($_FILES['file']['name'] == "")
{
     echo"<script>
alert(\"Please select a file to upload!\");
</script>";
return;
 
}
 
if(!in_array($_FILES['file']['type'], $types_array))
{
     echo"<script>
alert(\"This is not an mp3!\");
</script>";
return;
 
}
 
    $max_filesize_kb = ($max_filesize / 1024);
 
if($_FILES['file']['size'] > $max_filesize)
{
     echo"<script>
alert(\"Your file is too large it must be.$max_filesize_kb.kb\");
</script>";
return;
 
}
 
else{
move_uploaded_file($_FILES['file']['tmp_name'], $uploads.'/'.urlencode($_FILES['file']['name']))
or die ("Couldn't upload ".$_FILES['file']['name']."\n");
 
 echo"<script>
alert(\"File uploaded\");
</script>";
return;
}   
 
}
 
 
//FILE IS IMAGE
if($_POST["selection"]==1){
# edit #
    $maxwidth = 1024;
    $maxheight = 1024;
    $max_filesize = 1024000;
 
    $uploads = "../usercontent/";
    $types_array = array('image/gif','image/jpeg','image/x-png', 'image/jpg');
# end edit #
 
if($_FILES['file']['name'] == "")
{
     echo"<script>
alert(\"Please select a file to upload!\");
</script>";
return;
 
}
 
if(!in_array($_FILES['file']['type'], $types_array))
{
     echo"<script>
alert(\"That file type is not allowed!\");
</script>";
return;
 
}
 
    $max_filesize_kb = ($max_filesize / 1024);
 
if($_FILES['file']['size'] > $max_filesize)
{
     echo"<script>
alert(\"Your file is too large it must be.$max_filesize_kb\");
</script>";
return;
 
}
 
    $imagesize = getimagesize($_FILES['file']['tmp_name']);
 
    $imagewidth = $imagesize[0];
    $imageheight = $imagesize[1];
 
if($imagewidth > $maxwidth || $imageheight > $maxheight)
{
     echo"<script>
alert(\"The resolution is too large files may be up to ".$maxwidth."px x ".$maxheight."px in size\n\");
</script>";
return;
    
 
}
else{
move_uploaded_file($_FILES['file']['tmp_name'], $uploads.'/'.urlencode($_FILES['file']['name']))
or die ("Couldn't upload ".$_FILES['file']['name']."\n");
 
 echo"<script>
alert(\"File uploaded\");
</script>";
return;
}
}
 
 
?>

Re: Are these upload scripts safe? Advice appreciated.

Posted: Mon Oct 26, 2009 4:06 pm
by josh
No

someone could craft a file called something.php with both valid PHP code and a valid mp3 format ( possibly) and your script would copy the ".php" file as is. It should force the file extension to a known one, to prevent apache from invoking 3rd party modules like PHP on it, when the user requests the URI of the uploaded content

Re: Are these upload scripts safe? Advice appreciated.

Posted: Mon Oct 26, 2009 7:48 pm
by scarface222
Thanks for the response man, but I am kind of an amateur. What could I do to prevent this. Could you maybe give an example? Thanks again.

Re: Are these upload scripts safe? Advice appreciated.

Posted: Tue Oct 27, 2009 12:34 am
by dhenick
josh wrote:No

someone could craft a file called something.php with both valid PHP code and a valid mp3 format ( possibly) and your script would copy the ".php" file as is. It should force the file extension to a known one, to prevent apache from invoking 3rd party modules like PHP on it, when the user requests the URI of the uploaded content
It's call nullbyte hack.
attacker can upload php shell like this SHELL.PHP%00.JPG in system uploader, this file known as Image file, but actually this is PHP Script.

Re: Are these upload scripts safe? Advice appreciated.

Posted: Tue Oct 27, 2009 9:22 am
by josh
scarface222 wrote:Thanks for the response man, but I am kind of an amateur. What could I do to prevent this. Could you maybe give an example? Thanks again.
Chmod the files to 400 and rename to $filename = uniqid() . time() . '.dat'; or something

Then store them outside of web root

Re: Are these upload scripts safe? Advice appreciated.

Posted: Tue Oct 27, 2009 1:33 pm
by scarface222
Thanks guys, just out of curiosity why store outside of root folder? All my users have folders within the site folder where there data is stored. Should I change it so that there data is outside of the site folder? Also what is the point of unique ids? I saw one script md5 the name of an upload. Thanks again for your help.

Re: Are these upload scripts safe? Advice appreciated.

Posted: Tue Oct 27, 2009 4:35 pm
by josh
That's because you can have a file called foo.php that contains valid PHP that is also a valid mp3, or a valid jpeg, or whatever. If you let them place files with arbitrary names in the web root, it is not secure, they can run arbitrary PHP code then

Re: Are these upload scripts safe? Advice appreciated.

Posted: Wed Oct 28, 2009 2:26 pm
by scarface222
I have one more question. In relation to a unique id, I am not sure what to do because I want to display or play the files at some point that the user uploads so I assume that a php file cannot be accessed through an image reference or mp3 player and when they are uploaded say I md5 them. In the html it is displayed as the md5 hashed name along with the directory, so can't a hacker still just copy and paste this into the url to run the file? Also when I went to digg.com to test something I found an img url and put it in the url
http://digg.com/general_sciences/The_St ... ry_2/s.jpg
isn't this image file in the site directory?

Re: Are these upload scripts safe? Advice appreciated.

Posted: Thu Oct 29, 2009 1:01 am
by josh
scarface222 wrote:I have one more question. In relation to a unique id, I am not sure what to do because I want to display or play the files at some point that the user uploads so I assume that a php file cannot be accessed through an image reference or mp3 player and when they are uploaded say I md5 them. In the html it is displayed as the md5 hashed name along with the directory, so can't a hacker still just copy and paste this into the url to run the file? Also when I went to digg.com to test something I found an img url and put it in the url
http://digg.com/general_sciences/The_St ... ry_2/s.jpg
isn't this image file in the site directory?
Its not insecure to have files public, but until you understand content type handlers of apache, and execution privledges on unix, etc.. best to keep it out of web root.
if someone can cull up images by guessing the URL so what? its downloaded into their cache anyways.

Re: Are these upload scripts safe? Advice appreciated.

Posted: Thu Oct 29, 2009 1:15 pm
by scarface222
OK one LAST concern lol. What is the point of a unique id if simply storing the file outside of the root directory will get the job done? Also could pathinfo() be useful in determining file type after the upload?

Re: Are these upload scripts safe? Advice appreciated.

Posted: Fri Oct 30, 2009 3:57 am
by josh
since you dont understand how to cleanse your inputs in this context, its best to not use any user input at all.

What if the user created a file someFile.sh

granted it would have to chmod +x to run, so taking this shortcut would not be insecure in itself, but whats to say some other shortcut somewhere else wont provide the ability for them to exploit your permissions.

best to know that the files are all going to be #s with a .dat extension or something like that.

Re: Are these upload scripts safe? Advice appreciated.

Posted: Fri Oct 30, 2009 4:10 am
by VladSun

Re: Are these upload scripts safe? solved

Posted: Fri Oct 30, 2009 11:13 am
by scarface222
appreciate it guys. Everyone really helped me out. by the way, excellent article vladsun, really puts things in perspective.