Jump to content

UPload script vurability


Renlok

Recommended Posts

I have an upload script and supposedly people can upload shell scripts if they name them like shell.php.jpg is there anyway i can actually check if the image is really an image? at the monet i check the mine type and the extension but it doesnt work.

 

http://www.milw0rm.org/exploits/8288

Link to comment
https://forums.phpfreaks.com/topic/151429-upload-script-vurability/
Share on other sites

u can use the gdimage that comes with php, but its not a shure fire way to prevent scripts.

so maybe just a header check, and a filename check will suffice

$it = @exif_imagetype($file["tmp_name"]);
if (!($it == IMAGETYPE_GIF || $it == IMAGETYPE_JPEG || $it == IMAGETYPE_PNG)))
	die("Upload failed. Sorry, the file you uploaded was not recognized as a valid image file.");

 

should do well for image checks, but as stated its not full proof. but makes it quite a bit harder.

 

the next step, is not to save it as a usernamed filr, either rename it or store the original filename in the db.

prolly renaming it is simplest way, giving it some arbitary number (or just use md5 to generate the name).

 

Renaming it yerself also prevents users from overwriting other ppls uploads as well... good luck

 

 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.