Page 1 of 1

File Upload Security

Posted: Mon Nov 29, 2010 4:39 pm
by Stacks
I allow users to upload pictures on my website. They can then view the pictures. What kind of file upload attacks can be used, and what can I do to prevent them?

If anyone can link me to any complete guides on how to protect from these attacks I will much appreciate it.

Re: File Upload Security

Posted: Tue Nov 30, 2010 7:10 am
by social_experiment
http://www.scanit.be/uploads/php-file-upload.pdfTake a look at this url, i've had similar concerns and this file helped a lot.

Re: File Upload Security

Posted: Thu Dec 02, 2010 4:59 am
by Bind
1. hidden/protected uploads directory (.htaccess).
2. challenge-response mechanism so they cant automate through your form (captcha/recaptcha).
3. do not use hidden form (session) tickets as your html can be parsed for their values and posted through.
4. file type validation.

Re: File Upload Security

Posted: Thu Dec 02, 2010 6:17 am
by social_experiment
Bind wrote:4. file type validation.
Not sure if you have looked at that url but even uploading a .jpg / .gif file (image type) can leave you vulnerable, if comments are embedded into the image file (the url explains it a lot better). I think they advocate storing files outside the web root with custom names for more certainty.

Re: File Upload Security

Posted: Thu Dec 02, 2010 6:54 am
by Bind
social_experiment wrote:
Bind wrote:4. file type validation.
Not sure if you have looked at that url but even uploading a .jpg / .gif file (image type) can leave you vulnerable, if comments are embedded into the image file (the url explains it a lot better). I think they advocate storing files outside the web root with custom names for more certainty.
are you suggesting no file type validation ?

I hope not.

the .htaccess protection of the upload directory effectively quarantines uploaded files from public access until an administrator can critique the files. The simple presence of a 'bad' file in a secured and quarentined file system directory is in no way insecure in and of itself.

there are functions that can import, parse, alter, delete, overwrite, and rewrite image and filename data, as well as streaming the file with headers ensuring no php code is compiled/executed at runtime.

no i did not view the resource you posted - its a dead link to me - i can not access it at all.

here is a good writeup from Manuel Lemos of phpclasses.org on the subject

Re: File Upload Security

Posted: Thu Dec 02, 2010 8:35 am
by social_experiment
Bind wrote:are you suggesting no file type validation ?
File type checking, even if done right, can still not be enough, and I am not saying don't do it. The pdf shows examples of images being uploaded that can still contain malicious code and that have passed the 'type check'. Thanks for the url i will check it out.
Edit - Attached is file, i can't add the pdf so i converted it to txt.

Re: File Upload Security

Posted: Thu Dec 02, 2010 2:58 pm
by Bind
I like your style - its good to be a paranoid php developer =)

Never rely on any data that can be forged - pretty much the #2 rule in php programming, right after: never trust any visitor input ... actually its probably a part #1.

What you want to check is data that can NOT be forged, like the file extension, which will not be parsed by php to begin with if its a proper extension for an image.

For instance, if a malicious user uploads 'image.gif.php' and forges the Content Type header to 'image/gif' ...

Code: Select all

<?php
#
#  file type checking
#
$allowed_extensions = array('gif','jpg','bmp');
foreach($allowed_extensions as $this_extension)
   {
      if(substr($_FILES['userfile']['name'],-(strlen($this_extension)+1)) == '.'.$this_extension)
         {
            # process the file
         }
   }
?>
... it will not be processed so long as the server isnt set to process those file extensions by php.

thanks for the file link - i will check it out soon.

Re: File Upload Security

Posted: Tue Dec 21, 2010 7:47 am
by timWebUK
social_experiment wrote:
Bind wrote:are you suggesting no file type validation ?
File type checking, even if done right, can still not be enough, and I am not saying don't do it. The pdf shows examples of images being uploaded that can still contain malicious code and that have passed the 'type check'. Thanks for the url i will check it out.
Edit - Attached is file, i can't add the pdf so i converted it to txt.
That's because the web server configuration in their example allows the PHP interpreter to interpret a JPEGs for PHP for some reason, hence picking up the script in the EXIF data.

Re: File Upload Security

Posted: Tue Dec 21, 2010 8:23 am
by social_experiment
timWebUK wrote:That's because the web server configuration in their example allows the PHP interpreter to interpret a JPEGs for PHP for some reason, hence picking up the script in the EXIF data.
Interesting. Is this an option that can be configured, and if so, what purpose does it have if it poses a risk?

I noticed in the pdf they mention that the user doesn't always have control over the configuration and should thus code / script as such. I read it as "trust no server".