UPload script vurability

[Renlok]

I have an upload script and supposedly people can upload shell scripts if they name them like shell.php.jpg is there anyway i can actually check if the image is really an image? at the monet i check the mine type and the extension but it doesnt work.

 

http://www.milw0rm.org/exploits/8288

[Maq]

Vulnerability:

~~~~~~~~~~

 

Anyone can upload shell php with extension eg: shell.php.jpg.

 

Check to make sure there aren't two extensions.

[Renlok]

how would i do that?

[laffin]

u can use the gdimage that comes with php, but its not a shure fire way to prevent scripts.

so maybe just a header check, and a filename check will suffice

$it = @exif_imagetype($file["tmp_name"]);
if (!($it == IMAGETYPE_GIF || $it == IMAGETYPE_JPEG || $it == IMAGETYPE_PNG)))
	die("Upload failed. Sorry, the file you uploaded was not recognized as a valid image file.");

 

should do well for image checks, but as stated its not full proof. but makes it quite a bit harder.

 

the next step, is not to save it as a usernamed filr, either rename it or store the original filename in the db.

prolly renaming it is simplest way, giving it some arbitary number (or just use md5 to generate the name).

 

Renaming it yerself also prevents users from overwriting other ppls uploads as well... good luck