Page 1 of 1

Security issues when allowing file upload

Posted: Thu Jul 20, 2006 3:43 pm
by croniccoder
I added an enhancement to my companies website which allows users to apply for a job online and upload a resume, which is then emailed to a certain person where the uploaded file is sent as an attachment. I have limited the mime type uploads to only word documents or plain text files.

Code: Select all

// Obtain file upload vars
$fileatt      = $_FILES['uploadedFile']['tmp_name'];
$fileatt_type = $_FILES['uploadedFile']['type'];
$fileatt_name = $_FILES['uploadedFile']['name'];

Does anyone know of any issues when allowing a user to upload a file to a server in PHP? Another words, could someone possibly enter some malicious script into the input box which is used to browse for the file on a users local machine?

Posted: Thu Jul 20, 2006 3:47 pm
by Burrito
if you're really verifying a valid mime type (which you're not with the code given), then you don't need to worry about it.

A good practice is to also put documents such as those outside of your virtual folder. That way the files can not be accessed from the web.

Posted: Thu Jul 20, 2006 3:51 pm
by croniccoder
The code I posted is only a snippet.

A good practice is to also put documents such as those outside of your virtual folder.

I'm not quit sure what you mean by that? Do you mean that the file being uploaded should be uploaded to a different machine other than the webserver?

Posted: Thu Jul 20, 2006 4:10 pm
by Burrito
no...

let's say that my web site is under /usr/local/httpd/mySite or c:\inetpub\wwwroot\mysite

a good practice to upload files that you think might be harmful is to put them outside of your web root (virtual folder) so they can't be accessed from the web.

ex:

/some/other/path/to/files/myfile.doc or c:\some\other\path\to\files\myfile.doc

that way no one can access the file by gong to http://www.mysite.com/myfile.doc.

in the case of .doc and .txt files, I wouldn't worry so much, but as a general rule, it's good practice for files for which you have a concern.

Posted: Fri Jul 21, 2006 3:03 am
by JayBird
2 isssues here.

1) The MIME type is sent by the browser...but it isn't guaranteed to be sent. What happens when the MIME type is not sent?

2) The MIME type can be fairly easily be faked


I would, check for a MIME type, if it exists, check against allowed MIME types.

Also check the file extension (although even easier to fake)

and final, do as suggested above and store outside of the site root