upload security

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Philippe Lemmerling
    #1

    upload security

    I have a question concerning security of my file upload script. I'm using
    the php upload routines (move_uploaded_ file,...) and variables ($_FILES) to
    upload images to a webdirectory. Everything works fine, meaning that I can
    upload images BUT only if I change the permission of the directory to which
    the uploaded images are moved to 777. I guess that this is not such a good
    thing from security point of view. So here are some questions I have:
    1) is this really that dangerous? How could this be exploited by an
    attacker?
    2)using chmod in my php script (to switch back and forth between 700 and
    777) is not an option since I'm on a virtual host and PHP is in safe mode
    3)creating a directory which is not reachable by webbrowser does not seem to
    be possible either since outside my webdirectory; everything is root-owned
    and obviously only my ISP has root permission ;-)
    4)I know that changing to ftp functions might solve this problem but I want
    to do image resize operations on the uploaded image afterwards anyway so I
    would prefer solutions allowing the creation of safe directories or
    something similar
    5)Any hints and or tips on making safe file upload applications in php are
    welcome;




    Tags: None
    • Randell D.
      #2
      Re: upload security


      "Philippe Lemmerling" <philippe.lemme rling@esat.kule uven.ac.be> wrote in
      message news:1065050202 .261025@seven.k ulnet.kuleuven. ac.be...[color=blue]
      > I have a question concerning security of my file upload script. I'm using
      > the php upload routines (move_uploaded_ file,...) and variables ($_FILES)[/color]
      to[color=blue]
      > upload images to a webdirectory. Everything works fine, meaning that I can
      > upload images BUT only if I change the permission of the directory to[/color]
      which[color=blue]
      > the uploaded images are moved to 777. I guess that this is not such a good
      > thing from security point of view. So here are some questions I have:
      > 1) is this really that dangerous? How could this be exploited by an
      > attacker?
      > 2)using chmod in my php script (to switch back and forth between 700 and
      > 777) is not an option since I'm on a virtual host and PHP is in safe mode
      > 3)creating a directory which is not reachable by webbrowser does not seem[/color]
      to[color=blue]
      > be possible either since outside my webdirectory; everything is root-owned
      > and obviously only my ISP has root permission ;-)
      > 4)I know that changing to ftp functions might solve this problem but I[/color]
      want[color=blue]
      > to do image resize operations on the uploaded image afterwards anyway so I
      > would prefer solutions allowing the creation of safe directories or
      > something similar
      > 5)Any hints and or tips on making safe file upload applications in php are
      > welcome;[/color]

      Suggestions:
      Do your best to upload the files to a location outside your
      $_SERVER[DOCUMENT_ROOT] (the root of your website). Why? Well if someone
      was to upload their own php file within your document root directory, it
      gives them access to your server (or at very least, to your web site
      directory tree).

      Try changing your 777 to 770 or 775 in the chmod/mkdir and then test your
      upload again.

      If you are forced to upload inside your document root, then limit the files
      that can be uploaded (ie avoid html,exe,php,ht m,js,java files) -
      alternativly, have all files zipped/compressed after they've been uploaded
      to reduce risks.


        Comment

        • Philippe Lemmerling
          #3
          Re: upload security


          "Randell D." <you.can.email. me.at.randelld@ yahoo.com> wrote in message
          news:seLeb.2827 $pl3.482@pd7tw3 no...
          [color=blue]
          >
          > Suggestions:
          > Do your best to upload the files to a location outside your
          > $_SERVER[DOCUMENT_ROOT] (the root of your website). Why? Well if someone
          > was to upload their own php file within your document root directory, it
          > gives them access to your server (or at very least, to your web site
          > directory tree).
          >
          > Try changing your 777 to 770 or 775 in the chmod/mkdir and then test your
          > upload again.
          >[/color]

          Only 777 seems to work because my webtree is owned by user123 of group123
          and the php uploaded files are owned by apache of group apache.
          Would it be possible to use htaccess to limit eg the access by IP number
          (being the IP of my virtual host then) or is this only a small protection?
          [color=blue]
          > If you are forced to upload inside your document root, then limit the[/color]
          files[color=blue]
          > that can be uploaded (ie avoid html,exe,php,ht m,js,java files) -[/color]

          Is there a good way to check the file type; using the MIME type provided by
          the client isn't really great because that can easily be faked;
          [color=blue]
          > alternativly, have all files zipped/compressed after they've been uploaded
          > to reduce risks.
          >
          >[/color]


            Comment

            • Randell D.
              #4
              Re: upload security


              "Philippe Lemmerling" <philippe.lemme rling@esat.kule uven.ac.be> wrote in
              message news:1065079227 .580071@seven.k ulnet.kuleuven. ac.be...[color=blue]
              >
              > "Randell D." <you.can.email. me.at.randelld@ yahoo.com> wrote in message
              > news:seLeb.2827 $pl3.482@pd7tw3 no...
              >[color=green]
              > >
              > > Suggestions:
              > > Do your best to upload the files to a location outside your
              > > $_SERVER[DOCUMENT_ROOT] (the root of your website). Why? Well if[/color][/color]
              someone[color=blue][color=green]
              > > was to upload their own php file within your document root directory, it
              > > gives them access to your server (or at very least, to your web site
              > > directory tree).
              > >
              > > Try changing your 777 to 770 or 775 in the chmod/mkdir and then test[/color][/color]
              your[color=blue][color=green]
              > > upload again.
              > >[/color]
              >
              > Only 777 seems to work because my webtree is owned by user123 of group123
              > and the php uploaded files are owned by apache of group apache.
              > Would it be possible to use htaccess to limit eg the access by IP number
              > (being the IP of my virtual host then) or is this only a small protection?
              >[color=green]
              > > If you are forced to upload inside your document root, then limit the[/color]
              > files[color=green]
              > > that can be uploaded (ie avoid html,exe,php,ht m,js,java files) -[/color]
              >
              > Is there a good way to check the file type; using the MIME type provided[/color]
              by[color=blue]
              > the client isn't really great because that can easily be faked;
              >[color=green]
              > > alternativly, have all files zipped/compressed after they've been[/color][/color]
              uploaded[color=blue][color=green]
              > > to reduce risks.[/color][/color]

              I can't comment on using htaccess I'm afraid as its a feature I've not
              used - but it would give you some additional security.

              With regards to checking the file types - You don't have to find out the
              mime type - You just need to make sure that whatever is uploaded is not
              confused as being a 'legal' script/page that would give the poster access to
              changing any of your web pages. For example, say your files are going to
              DOCUMENT_ROOT/upload and, the client uploads a file called crack.php

              If crack.php were to contain some malicious code, the user only need to
              visit your website using the url http://www.yourWebSite.com/upload/crack.php
              for this malicious code to run. Depending on how your webserver is
              configured, it will have special recognition for the "tags" or file
              extension names (like ".php" or ".asp" or ".pl" or whatever). So you really
              don't need to check the mime type, you just need to check the tag on a
              filename (you could use something like pathinfo() to help you with this).
              Hence, if possible, why I suggest you store the files outside your
              DOCUMENT_ROOT - For example DOCUMENT_ROOT/../upload (note the two dots
              meaning its up or behind or outside the document root directory).

              On my system, I keep the file name tags/extension names in a db. Files that
              are uploaded have a hashed name (using md5() ) The hash is never revealed to
              the end user - since the hash is 32characters long and almost random it
              would be difficult for anybody to guess the filenames (since the original
              filename is now longer valid to the O/S). When ever I need to reference the
              file for downloading by a user, I have it copied back to a more sensiable
              name.

              However you do it, be it by keeping the files outside your document_root or
              by testing/changing the file names that are uploaded, you ought to do
              something to prevent a user from running malicious code on your machine.


                Comment

                Previous template Next
                Working...