Execute PHP File with non PHP etension?

Anon

I've created this thing that allows people to upload files withthe following extensions: .swf (flash file) , .zip , .txt . Is there anyway a malicious user could upload a PHP/other script with one of those extensions and somehow get it to execute on my server? We're running Apache and it's configure with the extensions .php and .php3 only...

thanks in advance

[deleted]

That would be possible if you allow users to upload files into the documentroot of your server, so they can later call that file through the webserver.

But ofcourse you were smart enough not to let anybody upload into the documentroot... weren't you? 🙂

Anon

Hey Jesse,

It's funny the people you meet on certain websites! It's Scott from actionscript.com!

No Jesse, it would not be possible for anyone to upload a php script and then run it unless it was called a php or a php3 file. This is because your webserver will only start the PHP engine when it encounters a php or php3 file. All it will do is pump out the php code to the browser!

This is only the case for PHP though(well as far as I know anyway). I am not too sure about any of the other languages.

Why don't you try it and see. Just write simple PHP script save it in a file named test.tst or something and then upload it to your server. Call the page from your browser and see what happens!

Cya mate.

Anon

Thanks both for replies. Hey again Scott.
Vincent, I allow uploads into a directory nested 3 levels deep from my public_html... will that cause problems? pardon my ignorance, I'm still pretty new to PHP in real terms.

Cheers

Jesse

Anon

Cheers

Jesse

[deleted]

DO you mean you store the files in
/documentroot/some/dir/here/uploadedfiles ?

In that case, epeople could upload a PHP script, and then call a url to access it.
Your webserver is PHP-aware, so instead of serving the script, it will execute it.

That would give a lot of opportunities to create virus-scripts, backdoors etc.

Anon

Yeah that's what I mean. Darn it! I can't figure this out. Quick rundown of what I'm doing:
User uploads files. Directory created in private section for administration. If entry is approved, directory is moved to public area and files are indexed in DB. The problem is I can't get a CHMOD combination working which allows all users to view the files in the directory (and their contents) but dissalows scripts. I thought to work around it by only allowing .swf, .zip and .txt files but if the server will interpret a .txt I'm back to square one. I could of course manually check each entry for any scripts before uploading it but that would make my dynamic and carefree system a waste of time 🙂
Any advice?
Thanks for your help so far!

[deleted]

First, your webserver should only recognise *.php as php scripts, and leave the rest alone.

There are a few things you can do.

a) move the uploaded files to a directory outside the documentroot. That way any malicious files can nolonger be accessed directly and are therefore safe.
If you want make the files downloadable, you can make a PHP script that will load the file into memory and pass it on to the client without executing it.

b) Recognise PHP scripts.
Check for .php files and rename them to .phps, which will make the webserver print and the script with syntax-highlighting instead of executing it.

c) Invalidate PHP scripts.
Look for the <?php tag and replace it with <pre>. that way PHP can't find a 'start of php-block' marker and it will not execute the code.

Anon

Last thing I promise: you say "First, your webserver should only recognise .php as php scripts". It's currently configured with .php and *.php3. Should I remove php3? And if I do this alone, does it fix my security flaw or can a malicious user, as we were saying before, run their .txt file as a PHP despite the extension?

cheers again

Jesse

[deleted]

When I say it should only use *.php, I really mean: it should only recognise the extentions that you use, and nothing else. That is simple security.

The webserver processes the files depending on their extention, so it's not possible to get it to run a .txt file as a PHP script if the file doesn't have a .php extention.

Anon

ok that extension bit was my original question... maybe I didn't phrase it well. thanks again ! :o)

Anon

Hey Jesse,

I was the second post to this message and I told you that the web server will only interpret PHP when there is a file with an extension that you have set PHP to read?

Why don't you test it out for your self. Get a PHP script, save it as .txt or whatever file you want, then access it from a browser window and see what happens!!!!!!!!!! All you'll get is your php code!

Cheers,

Scott.

Anon

Scott,
I had (of course) tested it myself before asking but I'm no PHP guru so I was just ensuring that someone who knew more than me wouldn't be able to find some way around it ;o)

Cheers

Jesse