Page 1 of 1

Does my PHP File Upload Script open vulnerabilities?

Posted: Mon Aug 01, 2011 1:53 pm
by Reed92
I'm creating a simple upload script so that clients can upload information about potential projects (such as pdf's, cad drawings, etc.) to my server instead of email (the size of these files are sometimes too big for email)

Here's what I have:

Client Side

Code: Select all

<form enctype="multipart/form-data" action="script.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="10000000" />
<ul>
<li class="form"><label for="variable">Choose a file to upload: </label></li>
<li class="form"><input name="variable" type="file" /><br /></li>
<li class="form"><input type="submit" value="Upload File" /></li>
</ul>
</form>
Server Side

Code: Select all

<?php
$uploaddir = './upload/'; // Relative path under webroot
$uploadfile = $uploaddir . basename($_FILES['variable']['name']);
if (move_uploaded_file($_FILES['variable']['tmp_name'], $uploadfile)) {
echo "<p>File uploaded successfully</p>";
} else {
echo "<p>File uploading failed.  Please use your browser's back button to return to the upload form.</p>";
}
?>
Now, of course this would be normally vulnerable. It looks to me, though, that I can set my upload folder permissions to 700 and be safe.

Am I wrong thinking this way? Is it possible that the server will somehow execute a file automatically? (Because I don't see a way that this could cause harm)

Re: Does my PHP File Upload Script open vulnerabilities?

Posted: Tue Aug 02, 2011 2:31 am
by phazorRise
Apply a filter to not allow uploading of php,pl etc files on server. Accept only those files which you want by checking their extension.
yes, changing folder and file permission do the trick.

Re: Does my PHP File Upload Script open vulnerabilities?

Posted: Tue Aug 02, 2011 1:41 pm
by social_experiment
viewtopic.php?f=34&t=125329&p=636231
viewtopic.php?f=50&t=102106&p=547753
Look at these topics for insight into upload script security (or some basics at least).
phazorRise wrote:Apply a filter to not allow uploading of php,pl etc files on server. Accept only those files which you want by checking their extension.
This isn't a very secure (or surefire) way of stopping malicious users from uploading certain file types using your script.

Code: Select all

<?php
$uploaddir = './upload/'; // Relative path under webroot
$uploadfile = $uploaddir . basename($_FILES['variable']['name']);
if (move_uploaded_file($_FILES['variable']['tmp_name'], $uploadfile)) {
echo "<p>File uploaded successfully</p>";
} else {
echo "<p>File uploading failed.  Please use your browser's back button to return to the upload form.</p>";
}
?>
You should check if the file is indeed uploaded (is_uploaded_file()) before you copy it elsewhere. Place uploaded files outside the webroot is a good starting point though.

Re: Does my PHP File Upload Script open vulnerabilities?

Posted: Fri Sep 02, 2011 3:53 am
by timWebUK
You also might want to enforce a server-side max file size as well as a client-side filter.

Re: Does my PHP File Upload Script open vulnerabilities?

Posted: Thu Nov 24, 2011 3:51 pm
by pickle
@ !social_experiment: You don't need to call is_uploaded_file() if you're using move_uploaded_file(), as the latter does the same kind of checking as the former.

Storing the files outside the document root is a must. If users upload .php files, storing the files in the web root could cause problems.

Re: Does my PHP File Upload Script open vulnerabilities?

Posted: Thu Nov 24, 2011 4:19 pm
by social_experiment
Ok; thanks, i was unaware of that :)