Does my PHP File Upload Script open vulnerabilities?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Reed92
Forum Newbie
Posts: 2
Joined: Mon Aug 01, 2011 1:46 pm

Does my PHP File Upload Script open vulnerabilities?

Post by Reed92 »

I'm creating a simple upload script so that clients can upload information about potential projects (such as pdf's, cad drawings, etc.) to my server instead of email (the size of these files are sometimes too big for email)

Here's what I have:

Client Side

Code: Select all

<form enctype="multipart/form-data" action="script.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="10000000" />
<ul>
<li class="form"><label for="variable">Choose a file to upload: </label></li>
<li class="form"><input name="variable" type="file" /><br /></li>
<li class="form"><input type="submit" value="Upload File" /></li>
</ul>
</form>
Server Side

Code: Select all

<?php
$uploaddir = './upload/'; // Relative path under webroot
$uploadfile = $uploaddir . basename($_FILES['variable']['name']);
if (move_uploaded_file($_FILES['variable']['tmp_name'], $uploadfile)) {
echo "<p>File uploaded successfully</p>";
} else {
echo "<p>File uploading failed.  Please use your browser's back button to return to the upload form.</p>";
}
?>
Now, of course this would be normally vulnerable. It looks to me, though, that I can set my upload folder permissions to 700 and be safe.

Am I wrong thinking this way? Is it possible that the server will somehow execute a file automatically? (Because I don't see a way that this could cause harm)
User avatar
phazorRise
Forum Contributor
Posts: 134
Joined: Mon Dec 27, 2010 7:58 am

Re: Does my PHP File Upload Script open vulnerabilities?

Post by phazorRise »

Apply a filter to not allow uploading of php,pl etc files on server. Accept only those files which you want by checking their extension.
yes, changing folder and file permission do the trick.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Does my PHP File Upload Script open vulnerabilities?

Post by social_experiment »

viewtopic.php?f=34&t=125329&p=636231
viewtopic.php?f=50&t=102106&p=547753
Look at these topics for insight into upload script security (or some basics at least).
phazorRise wrote:Apply a filter to not allow uploading of php,pl etc files on server. Accept only those files which you want by checking their extension.
This isn't a very secure (or surefire) way of stopping malicious users from uploading certain file types using your script.

Code: Select all

<?php
$uploaddir = './upload/'; // Relative path under webroot
$uploadfile = $uploaddir . basename($_FILES['variable']['name']);
if (move_uploaded_file($_FILES['variable']['tmp_name'], $uploadfile)) {
echo "<p>File uploaded successfully</p>";
} else {
echo "<p>File uploading failed.  Please use your browser's back button to return to the upload form.</p>";
}
?>
You should check if the file is indeed uploaded (is_uploaded_file()) before you copy it elsewhere. Place uploaded files outside the webroot is a good starting point though.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Does my PHP File Upload Script open vulnerabilities?

Post by timWebUK »

You also might want to enforce a server-side max file size as well as a client-side filter.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Does my PHP File Upload Script open vulnerabilities?

Post by pickle »

@ !social_experiment: You don't need to call is_uploaded_file() if you're using move_uploaded_file(), as the latter does the same kind of checking as the former.

Storing the files outside the document root is a must. If users upload .php files, storing the files in the web root could cause problems.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Does my PHP File Upload Script open vulnerabilities?

Post by social_experiment »

Ok; thanks, i was unaware of that :)
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply