File Upload Security
Moderator: General Moderators
File Upload Security
I allow users to upload pictures on my website. They can then view the pictures. What kind of file upload attacks can be used, and what can I do to prevent them?
If anyone can link me to any complete guides on how to protect from these attacks I will much appreciate it.
If anyone can link me to any complete guides on how to protect from these attacks I will much appreciate it.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: File Upload Security
http://www.scanit.be/uploads/php-file-upload.pdfTake a look at this url, i've had similar concerns and this file helped a lot.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: File Upload Security
1. hidden/protected uploads directory (.htaccess).
2. challenge-response mechanism so they cant automate through your form (captcha/recaptcha).
3. do not use hidden form (session) tickets as your html can be parsed for their values and posted through.
4. file type validation.
2. challenge-response mechanism so they cant automate through your form (captcha/recaptcha).
3. do not use hidden form (session) tickets as your html can be parsed for their values and posted through.
4. file type validation.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: File Upload Security
Not sure if you have looked at that url but even uploading a .jpg / .gif file (image type) can leave you vulnerable, if comments are embedded into the image file (the url explains it a lot better). I think they advocate storing files outside the web root with custom names for more certainty.Bind wrote:4. file type validation.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: File Upload Security
are you suggesting no file type validation ?social_experiment wrote:Not sure if you have looked at that url but even uploading a .jpg / .gif file (image type) can leave you vulnerable, if comments are embedded into the image file (the url explains it a lot better). I think they advocate storing files outside the web root with custom names for more certainty.Bind wrote:4. file type validation.
I hope not.
the .htaccess protection of the upload directory effectively quarantines uploaded files from public access until an administrator can critique the files. The simple presence of a 'bad' file in a secured and quarentined file system directory is in no way insecure in and of itself.
there are functions that can import, parse, alter, delete, overwrite, and rewrite image and filename data, as well as streaming the file with headers ensuring no php code is compiled/executed at runtime.
no i did not view the resource you posted - its a dead link to me - i can not access it at all.
here is a good writeup from Manuel Lemos of phpclasses.org on the subject
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: File Upload Security
File type checking, even if done right, can still not be enough, and I am not saying don't do it. The pdf shows examples of images being uploaded that can still contain malicious code and that have passed the 'type check'. Thanks for the url i will check it out.Bind wrote:are you suggesting no file type validation ?
Edit - Attached is file, i can't add the pdf so i converted it to txt.
- Attachments
-
- php-file-upload.rar
- File upload textfile.
- (8 KiB) Downloaded 225 times
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: File Upload Security
I like your style - its good to be a paranoid php developer =)
Never rely on any data that can be forged - pretty much the #2 rule in php programming, right after: never trust any visitor input ... actually its probably a part #1.
What you want to check is data that can NOT be forged, like the file extension, which will not be parsed by php to begin with if its a proper extension for an image.
For instance, if a malicious user uploads 'image.gif.php' and forges the Content Type header to 'image/gif' ...
... it will not be processed so long as the server isnt set to process those file extensions by php.
thanks for the file link - i will check it out soon.
Never rely on any data that can be forged - pretty much the #2 rule in php programming, right after: never trust any visitor input ... actually its probably a part #1.
What you want to check is data that can NOT be forged, like the file extension, which will not be parsed by php to begin with if its a proper extension for an image.
For instance, if a malicious user uploads 'image.gif.php' and forges the Content Type header to 'image/gif' ...
Code: Select all
<?php
#
# file type checking
#
$allowed_extensions = array('gif','jpg','bmp');
foreach($allowed_extensions as $this_extension)
{
if(substr($_FILES['userfile']['name'],-(strlen($this_extension)+1)) == '.'.$this_extension)
{
# process the file
}
}
?>
thanks for the file link - i will check it out soon.
Re: File Upload Security
That's because the web server configuration in their example allows the PHP interpreter to interpret a JPEGs for PHP for some reason, hence picking up the script in the EXIF data.social_experiment wrote:File type checking, even if done right, can still not be enough, and I am not saying don't do it. The pdf shows examples of images being uploaded that can still contain malicious code and that have passed the 'type check'. Thanks for the url i will check it out.Bind wrote:are you suggesting no file type validation ?
Edit - Attached is file, i can't add the pdf so i converted it to txt.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: File Upload Security
Interesting. Is this an option that can be configured, and if so, what purpose does it have if it poses a risk?timWebUK wrote:That's because the web server configuration in their example allows the PHP interpreter to interpret a JPEGs for PHP for some reason, hence picking up the script in the EXIF data.
I noticed in the pdf they mention that the user doesn't always have control over the configuration and should thus code / script as such. I read it as "trust no server".
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering