File Uploads -- Avoiding Exploits?

wscreate

I wrote a php script that uploads a file. The upload script checks against a database that contains "acceptable" file extensions. For example, the database contains a list of acceptable extensions such as .jpg, .gif, .png.

If someone attempts to upload a .exe file, for example, they receive an error message and the upload is halted before it starts.

It works well. Now, I am just looking for some opinions of those who are security conscious. I am wondering what types of files should be generally avoided in order to decrease the opportunity for a successful hack. For example, on Windows, I would imagine preventing the upload of a .exe file is a good idea.

Can you suggest any other extensions for a paranoid person to avoid?

MarkR

I recommend you use a whitelist rather than a blacklist. Have a list of "acceptable" types, and if it's any OTHER type, reject it.

Unfortunately people can still upload a file which isn't what it says. This is problematic- you could try checking the magic number (e.g. with some library).

If you're only going to consider images which the imagesize() function understands, you could use that to determine that the files are indeed images.

Mark

wscreate

MarkR wrote:
I recommend you use a whitelist rather than a blacklist. Have a list of "acceptable" types, and if it's any OTHER type, reject it.

Unfortunately people can still upload a file which isn't what it says.

I have heard of this. How would a person forge a document for upload? Would they disguise a .exe file as a .gif file, for example? I realize that is easy enough to do, just save the .exe file as .gif file. However, how could someone execute a .gif file as a .exe file, for example? I want to know, so I can learn to avoid or prevent this.

Thanks.

suntra

Here is what an upload HTTP query looks like :

POST /php-tests/fsockopen_envoi_fichier.php HTTP/1.1
Host: localhost
User-Agent: HTTPTool/1.0
Content-Type: multipart/form-data; boundary=---------------------------4ba731e0a0
Content-Length: 3340
Connection: close

-----------------------------4ba731e0a0
content-disposition: form-data; name="field1"

Test é1
-----------------------------4ba731e0a0
content-disposition: form-data; name="field2"

Test é1

-----------------------------4ba731e0a0
Content-Disposition: form-data; name="file1"; filename="changer_style_sheet.html"
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="fr" xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Test</title>
...
</head>
<body>
...
</body>
</html>
-----------------------------4ba731e0a0--

Look at this line :
« Content-Type: text/html »

So, anyone can do anything !