Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I restricted file uploads to *media only* files and somehow someone used the above mentioned program to upload a PHP script such as...
somefile.php.gif
Does this depend on my server settings?
If a file has the extension GIF should it not be interpreted on the server as such???
Being sent as garbage back to the browser as it's not really a GIF file in format???
Thankfully...it was on a test server and no senstivie data was exposed...but they could potentially use this again to perform attacks...so I think I'm gonna have to shut down the demo for the time being
What Apache setting is responsible for letting an GIF file execute as PHP code???
I'ld like to know which setting is responsible for this...
As, despite my misfortune
I still don't consider it a security flaw in my app...if ONLY php scripts executed and nothing else...which I blindingly assumed everything would be fine...
BUt yea...I might just have to check file sig's for now on
Astion's solution is fairly standard - getimagesize() return false if the image is not found valid. A file upload is user input - hence you filter it and don't believe the file extension . I suggest reading up on the area - take a few hours out. You'll never get to grips with file upload security until you do.
The file was a PHP shell script which has been doing the rounds for a few months. I have multiple copies disguised as GIF's or other files which have been uploaded onto my server - I don't error out on such infections since they're all caught and quarantined for my personal reading list.... There are dozens of these floating around. Some are pretty complex, some are like bots which focus on specific changes. For example there was a Serendipity script floating around a while back which took advantage of the recommended 777 chmod on directories to write dozens of HTTP redirects into .htaccess files, and create new PHP scripts with obscured popup code which created popup pr0n adverts...
I would suggest it's a security flaw. My reasoning being your settings are probably not isolated out there on the internet and you did not verify the file was a valid image GIF.
Heres the thing...and the reason I don't consider it a *flaw*
It's a generic file manager...so checking if a file is an GIF or a PDF is pointless...cuz they could just rename the file to somefile.php.mpg or whatever...
Checking the file headers is out of the question...
I was aware of the security risks...but my mistake was assuming only PHP scripts executed when they had the extension PHP or INC
For this reason, I need to know the setting required to prevent *anything* but PHP scripts from executing...
This way...so long as I prevent uploading of PHP scripts...I should be ok...
I had a quick look over the script and it just acts as an interface to make it simpler to exploit the system further.
The fact that its on the system means that your code had a hole that allowed it to be uploaded, you may be lucky and your system may actually be quite secure and patched. Its still worth some investigation thou.
if($HTTP_POST_FILES['file']['type'] != "image/gif" AND $HTTP_POST_FILES['file']['type'] != "image/pjpeg" AND $HTTP_POST_FILES['file']['type'] !="image/jpeg") {
$error = "This file type is not allowed";
unlink($HTTP_POST_FILES['file']['tmp_name']);
} else {
//the file is the correct format
}
Just use getimagesize to detect the image type. It works and if you are accepting images and NOT using this then it really is a security flaw.
You should be using that to detect the image type and if the image type doesn't match the extension used then the uploaded data should be discarded.
PHP manual in GetImageSize wrote:
Returns an array with 4 elements. Index 0 contains the width of the image in pixels. Index 1 contains the height. Index 2 is a flag indicating the type of the image: 1 = GIF, 2 = JPG, 3 = PNG, 4 = SWF, 5 = PSD, 6 = BMP, 7 = TIFF(intel byte order), 8 = TIFF(motorola byte order), 9 = JPC, 10 = JP2, 11 = JPX, 12 = JB2, 13 = SWC, 14 = IFF, 15 = WBMP, 16 = XBM.
In situations where you allow other file types to be uploaded such as pdfs and text files, you couldnt use the getimagesize for those files types... How would you then prevent it from happening for them?