File Upload Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Stacks
Forum Newbie
Posts: 24
Joined: Thu Jun 05, 2008 7:52 pm

File Upload Security

Post by Stacks »

I allow users to upload pictures on my website. They can then view the pictures. What kind of file upload attacks can be used, and what can I do to prevent them?

If anyone can link me to any complete guides on how to protect from these attacks I will much appreciate it.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: File Upload Security

Post by social_experiment »

http://www.scanit.be/uploads/php-file-upload.pdfTake a look at this url, i've had similar concerns and this file helped a lot.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Bind
Forum Contributor
Posts: 102
Joined: Wed Feb 03, 2010 1:22 am

Re: File Upload Security

Post by Bind »

1. hidden/protected uploads directory (.htaccess).
2. challenge-response mechanism so they cant automate through your form (captcha/recaptcha).
3. do not use hidden form (session) tickets as your html can be parsed for their values and posted through.
4. file type validation.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: File Upload Security

Post by social_experiment »

Bind wrote:4. file type validation.
Not sure if you have looked at that url but even uploading a .jpg / .gif file (image type) can leave you vulnerable, if comments are embedded into the image file (the url explains it a lot better). I think they advocate storing files outside the web root with custom names for more certainty.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Bind
Forum Contributor
Posts: 102
Joined: Wed Feb 03, 2010 1:22 am

Re: File Upload Security

Post by Bind »

social_experiment wrote:
Bind wrote:4. file type validation.
Not sure if you have looked at that url but even uploading a .jpg / .gif file (image type) can leave you vulnerable, if comments are embedded into the image file (the url explains it a lot better). I think they advocate storing files outside the web root with custom names for more certainty.
are you suggesting no file type validation ?

I hope not.

the .htaccess protection of the upload directory effectively quarantines uploaded files from public access until an administrator can critique the files. The simple presence of a 'bad' file in a secured and quarentined file system directory is in no way insecure in and of itself.

there are functions that can import, parse, alter, delete, overwrite, and rewrite image and filename data, as well as streaming the file with headers ensuring no php code is compiled/executed at runtime.

no i did not view the resource you posted - its a dead link to me - i can not access it at all.

here is a good writeup from Manuel Lemos of phpclasses.org on the subject
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: File Upload Security

Post by social_experiment »

Bind wrote:are you suggesting no file type validation ?
File type checking, even if done right, can still not be enough, and I am not saying don't do it. The pdf shows examples of images being uploaded that can still contain malicious code and that have passed the 'type check'. Thanks for the url i will check it out.
Edit - Attached is file, i can't add the pdf so i converted it to txt.
Attachments
php-file-upload.rar
File upload textfile.
(8 KiB) Downloaded 224 times
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Bind
Forum Contributor
Posts: 102
Joined: Wed Feb 03, 2010 1:22 am

Re: File Upload Security

Post by Bind »

I like your style - its good to be a paranoid php developer =)

Never rely on any data that can be forged - pretty much the #2 rule in php programming, right after: never trust any visitor input ... actually its probably a part #1.

What you want to check is data that can NOT be forged, like the file extension, which will not be parsed by php to begin with if its a proper extension for an image.

For instance, if a malicious user uploads 'image.gif.php' and forges the Content Type header to 'image/gif' ...

Code: Select all

<?php
#
#  file type checking
#
$allowed_extensions = array('gif','jpg','bmp');
foreach($allowed_extensions as $this_extension)
   {
      if(substr($_FILES['userfile']['name'],-(strlen($this_extension)+1)) == '.'.$this_extension)
         {
            # process the file
         }
   }
?>
... it will not be processed so long as the server isnt set to process those file extensions by php.

thanks for the file link - i will check it out soon.
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: File Upload Security

Post by timWebUK »

social_experiment wrote:
Bind wrote:are you suggesting no file type validation ?
File type checking, even if done right, can still not be enough, and I am not saying don't do it. The pdf shows examples of images being uploaded that can still contain malicious code and that have passed the 'type check'. Thanks for the url i will check it out.
Edit - Attached is file, i can't add the pdf so i converted it to txt.
That's because the web server configuration in their example allows the PHP interpreter to interpret a JPEGs for PHP for some reason, hence picking up the script in the EXIF data.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: File Upload Security

Post by social_experiment »

timWebUK wrote:That's because the web server configuration in their example allows the PHP interpreter to interpret a JPEGs for PHP for some reason, hence picking up the script in the EXIF data.
Interesting. Is this an option that can be configured, and if so, what purpose does it have if it poses a risk?

I noticed in the pdf they mention that the user doesn't always have control over the configuration and should thus code / script as such. I read it as "trust no server".
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply