Look through the threads linked from Useful Posts..tarnus wrote:In situations where you allow other file types to be uploaded such as pdfs and text files, you couldnt use the getimagesize for those files types... How would you then prevent it from happening for them?
HTF???
Moderator: General Moderators
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Re: Other types
- AKA Panama Jack
- Forum Regular
- Posts: 878
- Joined: Mon Nov 14, 2005 4:21 pm
Re: Other types
Well, if you have the PDF module installed you could try loading the file as a PDF and see if it fails using PDF_open_pdi.tarnus wrote:In situations where you allow other file types to be uploaded such as pdfs and text files, you couldnt use the getimagesize for those files types... How would you then prevent it from happening for them?
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Re: Other types
If this is a CMS you could provide the *option* to set the file types that are allowed and then check the header bytes for those types... I don't believe the overhead would be huge and it only happens when uploading a file so it's not like it's being done in a loop on every page load or anything.tarnus wrote:In situations where you allow other file types to be uploaded such as pdfs and text files, you couldnt use the getimagesize for those files types... How would you then prevent it from happening for them?
Not a bad idea, but wouldn't chmod 0444 do the same thing?Weirdan wrote:Unlike what others said, I would recommend to store uploaded files in the special dir (like myhost.com/uploads/) and put .htaccess file there with RemoveType (or RemoveHandler) directive inside to prevent php execution in that specific dir.
Excelent sugestion. I hadnt thought of removing the exxecutable types. That would pretty much eliminate this type of exploit.Weirdan wrote:Unlike what others said, I would recommend to store uploaded files in the special dir (like myhost.com/uploads/) and put .htaccess file there with RemoveType (or RemoveHandler) directive inside to prevent php execution in that specific dir.
Thanks!
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
It basically just returned normal variables accessible through any pHP script...DOCROOT, etc...Chonk wrote:I had a quick look over the script and it just acts as an interface to make it simpler to exploit the system further.
The fact that its on the system means that your code had a hole that allowed it to be uploaded, you may be lucky and your system may actually be quite secure and patched. Its still worth some investigation thou.
Here is the link for those that are interested :
http://rst.void.ru/download/r57shell.txt
Nothing amazing...and the guy...didn't reall do anything fancy but uploaded a PHP script via my file upload...my bad I admit...but any tool could figure that out...
As far as I can tell they did nothing to my system...except upload the scripts...I imagine i'll be getting an email from the company if they did anything bad
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
I'm not going to get into this security argument again...as it's strictly subjective...AKA Panama Jack wrote:Just use getimagesize to detect the image type. It works and if you are accepting images and NOT using this then it really is a security flaw.
You should be using that to detect the image type and if the image type doesn't match the extension used then the uploaded data should be discarded.
PHP manual in GetImageSize wrote: Returns an array with 4 elements. Index 0 contains the width of the image in pixels. Index 1 contains the height. Index 2 is a flag indicating the type of the image: 1 = GIF, 2 = JPG, 3 = PNG, 4 = SWF, 5 = PSD, 6 = BMP, 7 = TIFF(intel byte order), 8 = TIFF(motorola byte order), 9 = JPC, 10 = JP2, 11 = JPX, 12 = JB2, 13 = SWC, 14 = IFF, 15 = WBMP, 16 = XBM.
IMHO it's not a security flaw...but merely a misunderstanding of how files were processed by PHP...
Again...it's a generic file manager...so checking images using the getimage_* type functions won't work or at least serves no point...
I was well aware of the *risk* and I am well aware of how to properly check, sanitize user input...
How do you incorporate security checks for *every* single file known to man? While still remaining managable???
You check it's extension against a known array of trusted extensions, under the assumption that by using a principle of least privilege you *can*make your system fairly secure...
Problem was...I had no idea PHP executed anything thrown at it
I guess users will have to accept that as a generic file manager...there are inherent risks...
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Other types
Again...good in theory...but not practical...d11wtq wrote:If this is a CMS you could provide the *option* to set the file types that are allowed and then check the header bytes for those types... I don't believe the overhead would be huge and it only happens when uploading a file so it's not like it's being done in a loop on every page load or anything.tarnus wrote:In situations where you allow other file types to be uploaded such as pdfs and text files, you couldnt use the getimagesize for those files types... How would you then prevent it from happening for them?
How many files could a user potentially upload? Almost infinite...thats why I chose to use a extension check...
writing a custom header check...for every known file...or possible file...it's just not practical...
One alternative might be to use the reverse of what I have now...in that the upload script checks to see if file is potentially a PHP script and if so...exit...
But thats using the principle of most privilege...and I personally prefer the opposite...
I still think that controling which files are executed by PHP or Perl is the way to go...problem is...on Shared hosts...i'm not sure I can control those settings
Cheers
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Well the problem is...Weirdan wrote:Unlike what others said, I would recommend to store uploaded files in the special dir (like myhost.com/uploads/) and put .htaccess file there with RemoveType (or RemoveHandler) directive inside to prevent php execution in that specific dir.
My file manager is tightly integrated with the WYSIWYG editor...so files are uploaded into directories, etc for a reason...
Images included in web pages, etc...
I also want to let people have the power of uploading PHP scripts, like PHPBB via an online FORM or a ZIP file...
Basically it's a web based file manager...which works like explorer when you click on files approproate editors are loaded, etc,...
Thats why I chose not to store files in a DB or protected directory...