Security issues when allowing file upload

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
croniccoder
Forum Commoner
Posts: 27
Joined: Fri Jul 07, 2006 10:45 am

Security issues when allowing file upload

Post by croniccoder »

I added an enhancement to my companies website which allows users to apply for a job online and upload a resume, which is then emailed to a certain person where the uploaded file is sent as an attachment. I have limited the mime type uploads to only word documents or plain text files.

Code: Select all

// Obtain file upload vars
$fileatt      = $_FILES['uploadedFile']['tmp_name'];
$fileatt_type = $_FILES['uploadedFile']['type'];
$fileatt_name = $_FILES['uploadedFile']['name'];

Does anyone know of any issues when allowing a user to upload a file to a server in PHP? Another words, could someone possibly enter some malicious script into the input box which is used to browse for the file on a users local machine?
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

if you're really verifying a valid mime type (which you're not with the code given), then you don't need to worry about it.

A good practice is to also put documents such as those outside of your virtual folder. That way the files can not be accessed from the web.
croniccoder
Forum Commoner
Posts: 27
Joined: Fri Jul 07, 2006 10:45 am

Post by croniccoder »

The code I posted is only a snippet.

A good practice is to also put documents such as those outside of your virtual folder.

I'm not quit sure what you mean by that? Do you mean that the file being uploaded should be uploaded to a different machine other than the webserver?
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

no...

let's say that my web site is under /usr/local/httpd/mySite or c:\inetpub\wwwroot\mysite

a good practice to upload files that you think might be harmful is to put them outside of your web root (virtual folder) so they can't be accessed from the web.

ex:

/some/other/path/to/files/myfile.doc or c:\some\other\path\to\files\myfile.doc

that way no one can access the file by gong to http://www.mysite.com/myfile.doc.

in the case of .doc and .txt files, I wouldn't worry so much, but as a general rule, it's good practice for files for which you have a concern.
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

2 isssues here.

1) The MIME type is sent by the browser...but it isn't guaranteed to be sent. What happens when the MIME type is not sent?

2) The MIME type can be fairly easily be faked


I would, check for a MIME type, if it exists, check against allowed MIME types.

Also check the file extension (although even easier to fake)

and final, do as suggested above and store outside of the site root
Post Reply