File Upload, Secure Methods?

DrThodt

Hi, just registered. A friend showed me today that filenames and mime-types can easily be faked. He told me to check the file extension against an array of sorts of file extensions I want to be uploaded. Also that I should check the full path of the file (shoudl it include ../ etc) against the root/file/upload path. Are there any really good ways to do this?

laserlight

A friend showed me today that filenames and mime-types can easily be faked. He told me to check the file extension against an array of sorts of file extensions I want to be uploaded.

Doesnt make much sense, since the file extension is effectively part of the filename, and can be spoofed more easily than MIME type.

DrThodt

Originally posted by laserlight
Doesnt make much sense, since the file extension is effectively part of the filename, and can be spoofed more easily than MIME type.

Yes but if you tried to spoof a php file with a .gif extension, it won't execute as php.

laserlight

Yes but if you tried to spoof a php file with a .gif extension, it won't execute as php.

That's looking from a serverside point of view, which I think shouldnt be too bad either way, assuming the server is configured properly.

On the other hand, the submitter could spoof say, a malicious (executable?) file that some browsers (i.e. IE) might not handle properly, clientside, unless you check the MIME type as well.

ravenlock

That doesn't make much sense either, unless you're proposing that you upload code to be eval()'d or executed in some other way.

There's no point in being paranoid about it unless there's actually an attack vector there somewhere. If you're uploading files to store them somewhere, it doesn't really make difference what they contain, so long as you don't try to run them.

PHP has a way to check uploaded files (see the manual for is_uploaded_file()) to see if they really were uploaded and not someone trying to be sneaky.

DrThodt

He showed me that you can infact upload php scripts to anywhere in the httpd's structure to be executed just by running them, thats something I would like to protect against. Along with spoofing file names to add directory paths to them.

laserlight

He showed me that you can infact upload php scripts to anywhere in the httpd's structure to be executed just by running them

That depends on how you write your script, but I suppose that's your question 😛

Along with spoofing file names to add directory paths to them.

Consider using [man]basename/man

ravenlock

That can't be right, unless it's the way you handle the uploaded file. The user can't decide where to upload the file -- they get written to a temp directory by default. In any case, if you disallow files with .php extension, they can't be executed, as the server makes it's decision to run the file based on the file extension.

laserlight

as the server makes it's decision to run the file based on the file extension

I think that decision should be based on the MIME type, actually.

DrThodt

Originally posted by laserlight
I think that decision should be based on the MIME type, actually.

The mim-type is easily spoofed though.

laserlight

The mim-type is easily spoofed though.

I've also pointed out that file extensions are easily spoofed.

As you noticed, spoofing is one thing, exploiting is another.

You can always go with both checks, but I suspect that checking for MIME type woulod be more standard compliant.

ravenlock

Well yes, but as you really can't determine the MIME type based on anything else except the extension when it comes to ASCII text files, of which some are meant to be run, some displayed as-is and some parsed as HTML by the client, it's mostly the same thing.

And indeed, the file extension is by far easier to spoof, a simple rename operation would do that. MIME types at least require modifying the multipart/form-data headers (it does actually send the MIME type, doesn't it? I don't know my RFC by heart 😉)

DrThodt

basename() I'm sure will help alot as it can remove the spoofed ../'s thanks.

amcgrath

I think I'm gonna regret this post, but the originator wrote the following:

"He showed me that you can infact upload php scripts to anywhere in the httpd's structure to be executed just by running them"

which I read to mean they are going into the document root. Well, it would seem to me, uploading them to a directoryoutside of what is visible to the web would be a good thing to do.

amc