UPload script vurability

Renlok · March 27, 2009

I have an upload script and supposedly people can upload shell scripts if they name them like shell.php.jpg is there anyway i can actually check if the image is really an image? at the monet i check the mine type and the extension but it doesnt work.

http://www.milw0rm.org/exploits/8288

Maq · March 27, 2009

Vulnerability:
~~~~~~~~~~

Anyone can upload shell php with extension eg: shell.php.jpg.

Check to make sure there aren't two extensions.

Renlok · March 27, 2009

how would i do that?

laffin · March 27, 2009

u can use the gdimage that comes with php, but its not a shure fire way to prevent scripts.

so maybe just a header check, and a filename check will suffice

$it = @exif_imagetype($file["tmp_name"]);
if (!($it == IMAGETYPE_GIF || $it == IMAGETYPE_JPEG || $it == IMAGETYPE_PNG)))
	die("Upload failed. Sorry, the file you uploaded was not recognized as a valid image file.");

should do well for image checks, but as stated its not full proof. but makes it quite a bit harder.

the next step, is not to save it as a usernamed filr, either rename it or store the original filename in the db.

prolly renaming it is simplest way, giving it some arbitary number (or just use md5 to generate the name).

Renaming it yerself also prevents users from overwriting other ppls uploads as well... good luck

Sign In

UPload script vurability

Recommended Posts

Renlok

Link to comment

Share on other sites

Maq

Link to comment

Share on other sites

Renlok

Link to comment

Share on other sites

laffin

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information