ident Posted December 11, 2009 Share Posted December 11, 2009 just found 2 instances of this on my website that had been uploaded by the image upload. My sites been coded to stop anything bad happening like this and nothing did. what could it of done? Quote Link to comment https://forums.phpfreaks.com/topic/184818-any-one-experienced-phpc99shell/ Share on other sites More sharing options...
PFMaBiSmAd Posted December 11, 2009 Share Posted December 11, 2009 My sites been coded to stop anything bad happening like this... Post your upload form processing code if you want someone on the forum to help with what it might or might not be doing. Edit: Also post other relevant details such as .htaccess files that are in place to either prevent the execution of .php files or browsing to files in the upload destination folder. Quote Link to comment https://forums.phpfreaks.com/topic/184818-any-one-experienced-phpc99shell/#findComment-975685 Share on other sites More sharing options...
ident Posted December 11, 2009 Author Share Posted December 11, 2009 u will have to forgive me i didnt build the site. it's mine but a mate did. the handle script is <?php require_once('../inc/config.inc.php'); function rand_str($length = 14, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890') { // Length of character list $chars_length = (strlen($chars) - 1); // Start our string $string = $chars{rand(0, $chars_length)}; // Generate random string for ($i = 1; $i < $length; $i = strlen($string)) { // Grab a random character from our list $r = $chars{rand(0, $chars_length)}; // Make sure the same two characters don't appear next to each other if ($r != $string{$i - 1}) $string .= $r; } // Return the string return $string; } if( (!$_FILES) || ( !is_uploaded_file($_FILES['upfile']['tmp_name']) ) ) { # nothing given to upload header('Location: Upload.htm'); } require_once('../inc/mysql.inc.php'); # check the given file extension is valid $allowed_exts = array('jpeg', 'jpg', 'gif', 'tiff', 'png', 'tif'); $infile_bits = explode('.', $_FILES['upfile']['name']); $infile_ext = strtolower( $infile_bits[count($infile_bits)-1] ); # quit if an invalid extension is given if( !in_array($infile_ext, $allowed_exts) ) { include('header.php'); echo '<div style="text-align: center;"><img src="homer.gif" width="290" height="267" /></center>'; echo '<div style="text-align: center;">'.htmlentities($infile_ext, ENT_QUOTES).' is not supported</div>'; die; } # create a random filename that isn't yet taken in the database $nametries = 0; $nameok = 0; while($nametries < 4) { $filename = rand_str(); $check_query = 'SELECT `id` FROM `images` WHERE `storedname` = \''.$filename.'.'.$infile_ext.'\''; $check_result = mysql_query($check_query); @$check_row = mysql_fetch_object($check_result); if(!$check_row->id) { # this filename isn't taken yet $nameok = 1; break; } $nametries++; } if(!$nameok) { print 'error: failed to find usable filename (this is probably a bug)'; die; } # copy the file to the storage folder if( !move_uploaded_file($_FILES['upfile']['tmp_name'], $config['uploadpath'].$filename.'.'.$infile_ext) ) { print 'error: failed to move the uploaded file'; die; } # input the new file in the database $newup_query = 'INSERT INTO `images` (`upname`, `storedname`, `fileext`, `uploaded`) VALUES (\''.addslashes($_FILES['upfile']['name']).'\', \''.$filename.'\', \''.$infile_ext.'\', NOW())'; mysql_query($newup_query); header('Location: viewpic.php?file='.$filename); ?> i dont know what htaccess file is Quote Link to comment https://forums.phpfreaks.com/topic/184818-any-one-experienced-phpc99shell/#findComment-975702 Share on other sites More sharing options...
keldorn Posted December 11, 2009 Share Posted December 11, 2009 Check for just the file .ext is not secure way to handle image uploads. This is how I would handle image uploads: 1. Check for extension - If fails stop processing, give message of invalid file type. 2. Check Mime Type - If fails stop processing, give message of invalid mime type. 2. Size check it getimagesize() -- If fail then stop processing, give message that supposes image was not a image. 3. Recrop/Resize then save. -- Last check if fails will throw warning, but you can use @ to suppress it. If it truly is not an image it will fail on trying to resize it. -- stop processing and give message to gtfo. Quote Link to comment https://forums.phpfreaks.com/topic/184818-any-one-experienced-phpc99shell/#findComment-975705 Share on other sites More sharing options...
ident Posted December 11, 2009 Author Share Posted December 11, 2009 is there something i can read to help my impliment this? im extreamly new to php, but willing to learn Quote Link to comment https://forums.phpfreaks.com/topic/184818-any-one-experienced-phpc99shell/#findComment-975710 Share on other sites More sharing options...
keldorn Posted December 12, 2009 Share Posted December 12, 2009 is there something i can read to help my impliment this? im extreamly new to php, but willing to learn I cant say of any tutorials that show to offer secure image upload. I've looked myself before when I was less experienced, but I just figured it out myself. Of all the things, I would say resizing the image and saving a copy of it and discarded the original is the safest, you can even do this without losing any quality in the image, say the image is 500 x 500 Pixels, Jpeg, you can resave it as a 500 x 500 jpeg again, making the image safe. Becuase script kiddies will hide PHP or javascript inside the jpeg, you ever heard of those hacks, not sure how succesfull any attack vector like that would be, but resaving the image would remove any such non-safe data from the image. In the meantime while your figure it out, stop any PHP code from running in upload directory. if your running Apache, put this in your .htaccess for starters, php_flag engine off There is also this nice class you can plug into your script that will handle the nitty gritty of image manipulations, http://asido.info But requires some OOP knowledge to use. But there are quite a few examples available that come with it, so just look threw it. Quote Link to comment https://forums.phpfreaks.com/topic/184818-any-one-experienced-phpc99shell/#findComment-975822 Share on other sites More sharing options...
PFMaBiSmAd Posted December 12, 2009 Share Posted December 12, 2009 Where on your web server did you find the c99 scripts? Where they only in the folder you are putting uploaded files in? What exact file names did they have? Here is another recent thread on the c99 script - http://www.phpfreaks.com/forums/index.php/topic,270592.0.html It was discovered that some combinations of operating system/web server (I suspect primarily when php is running as an Apache module, not enough specific information was posted in that thread to definitively identify which) cause file names such as c99.php.ext, where ext is an extension that your upload script allows, to be parsed as php code when requested. The best protection is to disable the php engine for the upload destination folder. Quote Link to comment https://forums.phpfreaks.com/topic/184818-any-one-experienced-phpc99shell/#findComment-975829 Share on other sites More sharing options...
Daniel0 Posted December 12, 2009 Share Posted December 12, 2009 It was discovered that some combinations of operating system/web server (I suspect primarily when php is running as an Apache module, not enough specific information was posted in that thread to definitively identify which) cause file names such as c99.php.ext, where ext is an extension that your upload script allows, to be parsed as php code when requested. I saw someone posting a configuration snippet yesterday (not here) where he made .php* parseable by PHP. I assume it was to get things like .php4, .php5 and such. This could open up for that. Quote Link to comment https://forums.phpfreaks.com/topic/184818-any-one-experienced-phpc99shell/#findComment-975867 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.