They uploaded php shell on my website..Help!

[egturnkey]

Hello dear friends,

 

i've very simple php script for my website and it has feature that visitor can register and upload image for own profile.

 

somone has uploaded PHP Shell as image and succeed to control on my website using that shell.

 

so the problem is in uploading image can pass any file so can someone please help me how how to prevent it and here are the codes of image upload form and function.

 

 

* Image upload form code

 

<form action="profile.php" method="post" enctype="multipart/form-data" name="form" id="form">

My Picture : <input name="userpic" type="file" id="userpic"/>

<input type="submit" name="Submit" value="Update"/>

 

* Profile.php code

(it rename the image by add time to its name then put the image in path /users/ then insert the new name of the image into the database table)

 

$ImageName = $_FILES[userpic][name]; // Get the image
$t = time(); // Get Time
$NewImageName = "$t$ImageName"; // New name
copy($_FILES[userpic][tmp_name], "users/$NewImageName");

$sql= "update users SET userpic='$NewImageName'";

 

How then i can stop they upload shell  :'(

 

thanks

[papaface]

This'll help http://www.webcheatsheet.com/PHP/file_upload.php

[egturnkey]

This'll help http://www.webcheatsheet.com/PHP/file_upload.php

 

thank you, but i'm not sure it is secure way as well cause it idea depends on getting size and header and both can be faked easily

 

i've found one of the comments saying, he is using <getimagesize> and if no value or error so it can't be image and if there is values then it must be image and pass it

 

$size = getimagesize("yourmom.jpg");

if ($size)

{

//valid image, show porn

echo "<img src="yourmom.jpg">";

}

else

{

//bad image

echo "try again!";

}

 

do anyone has comment on it , is it true

 

thanks

[laffin]

the header follows a jpeg style header, while in the metadata is the php code. this can happen with gif/pngs as well.

 

but since most sites just do jpegs, i found this http://www.ozhiker.com/electronics/pjmt/library/documentation/edit_write_file_info.html

 

[PFMaBiSmAd]

It is possible to fake out and bypass just about every type of upload file checking in the right (wrong) situation.

 

For example, in some combinations/versions of operating system, Apache, and php running as a server module, it is possible to use a filename like file.php.jpg and get it to pass simple file extension checking (the final .jpg is valid and will get past any code that is just testing for a .jpg ending.) But read this, some lazy programmer (probably in the Apache code) stopped parsing the file name at the .php in it and executes the file.php.jpg as a .php file.

 

The safest things you can do that will ultimately protect yourself from a dangerous uploaded file in all situations is to -

 

A) Move the file into a folder that cannot be browsed to, either because it is located outside of your document_root folder or it has had all HTTP/HTTPS requests disabled for the files in the folder. This option requires that you OUTPUT the files dynamically using some php code when they get requested.

 

B) Move the file into a folder that has had the php language engine disabled, along with any other server side scripting languages that are available on your server, and any execute permissions (in case one of your scripts is putting user input into operating system shell commands.) This will cause the content of the file to be simply output instead of parsed by the server side scripting language(s) when the file gets requested.