Page 1 of 1

Second set of eyes for sterilizing PHP

Posted: Fri Dec 26, 2008 4:52 am
by alex.barylski
I"m allowing a user upload HTML files to a server...nothing more, nothing less.

I don't want them to embed PHP script in the HTML inadvertiently or deliberately so when I upload the file I str_replace the instances of

<? or <% with <

Is this sufficient for preventing the execution of PHP script?

I know there are far better/robust ways of solving the issue, like using a proxy script, disabling PHP execution, etc...but there are reasons I have used this "hack" approach. One being there are already PHP files in the directory he is uploading to, so disabling PHP is not an option.

I just want to sanitize a HTML file and prevent any kind of execution directly from it...will the above suffice?

Cheers,
Alex

Re: Second set of eyes for sterilizing PHP

Posted: Fri Dec 26, 2008 8:38 am
by Mordred
1.

Code: Select all

<script language="PHP"
Also, str_replace should be used in a loop (remember?). Better show some code.

2. HTML upload = XSS. Make sure you know how that affects you.

3. Uploads should go in another folder with PHP engine disabled.

Re: Second set of eyes for sterilizing PHP

Posted: Fri Dec 26, 2008 10:27 am
by kaisellgren
Are these HTML files being uploaded as .php or .html?

Re: Second set of eyes for sterilizing PHP

Posted: Fri Dec 26, 2008 7:18 pm
by alex.barylski

Code: Select all

<script language="PHP"
Bah...forgot about that. Good call :)

Can I disable that in the PHP ini?

http://www.php.net/~derick/meeting-note ... dd-php-var

Looks pretty old but I would prefer to just disable everything but the standard PHP open tag...I've done a quick Google but cannot find the setting, if it even exists.

Re: Second set of eyes for sterilizing PHP

Posted: Fri Dec 26, 2008 7:23 pm
by kaisellgren
PCSpectra wrote:

Code: Select all

<script language="PHP"
Bah...forgot about that. Good call :)

Can I disable that in the PHP ini?

http://www.php.net/~derick/meeting-note ... dd-php-var

Looks pretty old but I would prefer to just disable everything but the standard PHP open tag...I've done a quick Google but cannot find the setting, if it even exists.
There is not setting to disable it as far as I know.

Re: Second set of eyes for sterilizing PHP

Posted: Sun Dec 28, 2008 3:22 pm
by alex.barylski
I have searched high and dry and couldn't find squat but discovered a much better solution to circumvent any possible security issues.

Re: Second set of eyes for sterilizing PHP

Posted: Sun Dec 28, 2008 10:51 pm
by Ambush Commander
Two questions:

1. What file extensions are you allowing users to upload the files as?

2. Why is the PHP interpreter running on HTML files?

Re: Second set of eyes for sterilizing PHP

Posted: Mon Dec 29, 2008 12:44 am
by j4IzbInao
My take on the whole part of sterilizing uploaded files, have the following in an htaccess-file in the upload-directory:

Code: Select all

php_flag engine off
If you do not intend to include content via require/include that the users upload shouldn't be able to parse, right?

Re: Second set of eyes for sterilizing PHP

Posted: Mon Dec 29, 2008 9:42 am
by kaisellgren
j4IzbInao wrote:My take on the whole part of sterilizing uploaded files, have the following in an htaccess-file in the upload-directory:

Code: Select all

php_flag engine off
If you do not intend to include content via require/include that the users upload shouldn't be able to parse, right?
The OP said he has PHP files in the same directory so disabling the PHP engine is no answer.

Again, are the files .html or .php, have you set PHP to parse .html files too?

Re: Second set of eyes for sterilizing PHP

Posted: Tue Dec 30, 2008 1:04 am
by j4IzbInao
kaisellgren wrote:
j4IzbInao wrote:My take on the whole part of sterilizing uploaded files, have the following in an htaccess-file in the upload-directory:

Code: Select all

php_flag engine off
If you do not intend to include content via require/include that the users upload shouldn't be able to parse, right?
The OP said he has PHP files in the same directory so disabling the PHP engine is no answer.

Again, are the files .html or .php, have you set PHP to parse .html files too?
Oh, my mistake, missed that one. But I can't think of an reason that you MUST have the ability to parse php in a directory where you upload data, why not simply build around the problem and disable php for that single directory? It might be a pain in the arse to do but it seems in my eyes the best way to do things.

Re: Second set of eyes for sterilizing PHP

Posted: Tue Dec 30, 2008 8:44 am
by kaisellgren
j4IzbInao wrote:
kaisellgren wrote:
j4IzbInao wrote:My take on the whole part of sterilizing uploaded files, have the following in an htaccess-file in the upload-directory:

Code: Select all

php_flag engine off
If you do not intend to include content via require/include that the users upload shouldn't be able to parse, right?
The OP said he has PHP files in the same directory so disabling the PHP engine is no answer.

Again, are the files .html or .php, have you set PHP to parse .html files too?
Oh, my mistake, missed that one. But I can't think of an reason that you MUST have the ability to parse php in a directory where you upload data, why not simply build around the problem and disable php for that single directory? It might be a pain in the arse to do but it seems in my eyes the best way to do things.
Yea I agree. I have no idea why he needs those .php files to be in that same directory.