PHP file upload question

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
iliekphp
Forum Newbie
Posts: 4
Joined: Tue Sep 28, 2010 9:51 pm

PHP file upload question

Post by iliekphp »

Hi, I'm experimenting with different ways to stop PHP shell uploads, and some ways to bypass them. I'm trying it on my localhost. I'm messing around with verification through file extensions. Here's the code:

<?php

$blacklist = array(".php", ".phtml");

foreach ($blacklist as $item) {
if(preg_match("/$item\$/i", $_FILES['userfile']['name'])) {
echo "We do not allow uploading PHP files\n";
exit;
}
}

$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>
It does seem to work, here's where I have my question. I changed the file extension to file.php.jpg to see if it could bypass it and it did upload. When I browse to it though I get this:
It just prints out the path for some reason..

So I have two questions, why does that happen? Is there a way to get this to upload and parse it as a PHP file instead of an image? I mean so it actually executes the shell. And if there is what other precautions can you take to prevent people from uploading these shells? Thanks for any help, I'm trying to understand both sides here. I'm using PHP 5.3.1 by the way.
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: PHP file upload question

Post by twinedev »

Firefox will print the path of the file if it sees a file is there, but it doesn't detect that it is an actual image like it is expecting.

Another good thing to look for is search the file for <? and <?php tags to try to catch them scripts.

-Greg
Monotoko
Forum Commoner
Posts: 64
Joined: Fri Oct 26, 2007 4:24 pm

Re: PHP file upload question

Post by Monotoko »

Also search for other "script-like" things such as the ASP opening tags or "print" and "echo".

I once had someone upload and remotely execute a python script that did quite a bit of damage, searching for known and used functions usually puts a stop to it.
iliekphp
Forum Newbie
Posts: 4
Joined: Tue Sep 28, 2010 9:51 pm

Re: PHP file upload question

Post by iliekphp »

Monotoko wrote:Also search for other "script-like" things such as the ASP opening tags or "print" and "echo".

I once had someone upload and remotely execute a python script that did quite a bit of damage, searching for known and used functions usually puts a stop to it.
Thanks, that's a pretty good idea I hadn't though of that yet.
twinedev wrote:Firefox will print the path of the file if it sees a file is there, but it doesn't detect that it is an actual image like it is expecting.
So it has to do with the browser? Cause I tried it on internet explorer and it just printed out the PHP code, are there any browsers that detect it as a script?
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: PHP file upload question

Post by flying_circus »

Kai has posted some good information on this subject (uploading files), so run a search in this forum.

What exactly are you trying to accomplish?

You should never trust any files that your users upload. Ideally you would want to store uploaded files outside of the document root, so that they cannot be directly accessed. You want to strip the file name and extension, but keep track of these in a database, and rename the file to some unique key that you also store in the database. To access the files, you'll want to create a proxy page to access them.

When you try to serve the file to the user, they'll access it like:
http://www.example.org?getfile=*unique_id*.

At this point, your script will query the database for the unique id, then send the file, with its original name, to the user to download.

This type of a system will allow you to accept uploads and redistribute them to your users as downloads, but your server will never try to execute them.
iliekphp
Forum Newbie
Posts: 4
Joined: Tue Sep 28, 2010 9:51 pm

Re: PHP file upload question

Post by iliekphp »

I apologize for replying so late. I just didn't have time to do much for the last couple of days, sorry again.

What I'm trying to accomplish is just figuring out how all this works, I'm not really trying to accomplish anything on a specific project. Thanks for the information you posted, and the information about "Kai" which I'll be sure to search for. This solves my first question about a more secure option for file uploading. I still have one though that wasn't really completely answered. Why doesn't uploading it as soandso.php.jpg work? It uploads, but the server seems to read it improperly or something (see original post). What causes that? Is there a way to make that work? And if there isn't, wouldn't that in itself be enough to secure your uploading script?
Post Reply