egturnkey Posted November 20, 2010 Share Posted November 20, 2010 Hello dear friends, i've very simple php script for my website and it has feature that visitor can register and upload image for own profile. somone has uploaded PHP Shell as image and succeed to control on my website using that shell. so the problem is in uploading image can pass any file so can someone please help me how how to prevent it and here are the codes of image upload form and function. * Image upload form code <form action="profile.php" method="post" enctype="multipart/form-data" name="form" id="form"> My Picture : <input name="userpic" type="file" id="userpic"/> <input type="submit" name="Submit" value="Update"/> * Profile.php code (it rename the image by add time to its name then put the image in path /users/ then insert the new name of the image into the database table) $ImageName = $_FILES[userpic][name]; // Get the image $t = time(); // Get Time $NewImageName = "$t$ImageName"; // New name copy($_FILES[userpic][tmp_name], "users/$NewImageName"); $sql= "update users SET userpic='$NewImageName'"; How then i can stop they upload shell :'( thanks Quote Link to comment https://forums.phpfreaks.com/topic/219281-they-uploaded-php-shell-on-my-websitehelp/ Share on other sites More sharing options...
papaface Posted November 20, 2010 Share Posted November 20, 2010 This'll help http://www.webcheatsheet.com/PHP/file_upload.php Quote Link to comment https://forums.phpfreaks.com/topic/219281-they-uploaded-php-shell-on-my-websitehelp/#findComment-1137117 Share on other sites More sharing options...
egturnkey Posted November 20, 2010 Author Share Posted November 20, 2010 This'll help http://www.webcheatsheet.com/PHP/file_upload.php thank you, but i'm not sure it is secure way as well cause it idea depends on getting size and header and both can be faked easily i've found one of the comments saying, he is using <getimagesize> and if no value or error so it can't be image and if there is values then it must be image and pass it $size = getimagesize("yourmom.jpg"); if ($size) { //valid image, show porn echo "<img src="yourmom.jpg">"; } else { //bad image echo "try again!"; } do anyone has comment on it , is it true thanks Quote Link to comment https://forums.phpfreaks.com/topic/219281-they-uploaded-php-shell-on-my-websitehelp/#findComment-1137121 Share on other sites More sharing options...
laffin Posted November 20, 2010 Share Posted November 20, 2010 the header follows a jpeg style header, while in the metadata is the php code. this can happen with gif/pngs as well. but since most sites just do jpegs, i found this http://www.ozhiker.com/electronics/pjmt/library/documentation/edit_write_file_info.html Quote Link to comment https://forums.phpfreaks.com/topic/219281-they-uploaded-php-shell-on-my-websitehelp/#findComment-1137133 Share on other sites More sharing options...
PFMaBiSmAd Posted November 20, 2010 Share Posted November 20, 2010 It is possible to fake out and bypass just about every type of upload file checking in the right (wrong) situation. For example, in some combinations/versions of operating system, Apache, and php running as a server module, it is possible to use a filename like file.php.jpg and get it to pass simple file extension checking (the final .jpg is valid and will get past any code that is just testing for a .jpg ending.) But read this, some lazy programmer (probably in the Apache code) stopped parsing the file name at the .php in it and executes the file.php.jpg as a .php file. The safest things you can do that will ultimately protect yourself from a dangerous uploaded file in all situations is to - A) Move the file into a folder that cannot be browsed to, either because it is located outside of your document_root folder or it has had all HTTP/HTTPS requests disabled for the files in the folder. This option requires that you OUTPUT the files dynamically using some php code when they get requested. B) Move the file into a folder that has had the php language engine disabled, along with any other server side scripting languages that are available on your server, and any execute permissions (in case one of your scripts is putting user input into operating system shell commands.) This will cause the content of the file to be simply output instead of parsed by the server side scripting language(s) when the file gets requested. Quote Link to comment https://forums.phpfreaks.com/topic/219281-they-uploaded-php-shell-on-my-websitehelp/#findComment-1137135 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.