Jump to content

script injection?

robert_gsfame

By robert_gsfame
in PHP Coding Help

 Share

Recommended Posts

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

The two most popular and easiest ways that someone can add folders and files on your server are -

 

1) You have an upload script that allowed someone to upload and execute their own php script on your server. The php script that they uploaded was a file manager/control panel that then allowed them to do anything they wanted.

 

2) You are including files based on file names put onto the end of URL's, such as ?page=some_file and the allow_url_fopen and allow_url_include settings are on and someone got your code to include and run their own remote php code on your server. The php script that they got your code to include and run resulted in a file manager/control panel script to be placed on your server that allowed them to then do anything they wanted.

 

The fix for item #1 is to validate what was uploaded and to place the uploaded file into a folder that either does not permit any http requests to the uploaded files or to disable the php language engine in the folder. This will prevent any php scripts that get uploaded (even those that appear to be image files that can pass most validation tests.)

 

The fix for item #2 is to validate the get parameters (you must validate ALL external data) that are put onto the end of the URL and to turn OFF the allow_url_fopen and allow_url_include settings. This will prevent the inclusion and execution of remote php code. You also need to validate the get parameters that you are putting into include statements to make sure that administrator include files on your server are not being included into a normal visitor page as that would give the visitor access to the administrator operations.

Link to comment
Share on other sites
robert_gsfame Advanced Member

robert_gsfame

Posted
  • Author
Posted

thx a lot for your explanation. But i need more details on what you have explained to me PFMaBiSmAd :confused:

 

for item#1 - is validating means validating file type?? only image or pdf, is that what you mean??

 

can you please explain this a bit  technically

that either does not permit any http requests to the uploaded files or to disable the php language engine in the folder

 

i also dont get the solution for the item#2

if you don't mind i also need your explanation technically

 

if there is a link, hope you can show it to me  :)

 

thx

 

 

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If you have a file upload feature, it would be quicker and would allow a more complete assessment of the security holes if you just posted the code.

 

Are you even including files based on get parameters so that what I wrote in point #2 even applies to what you are doing, because no one wants to write a book that has nothing to do with the problem. And again, if you are including files based on get parameters - A) are the two settings that I mentioned even turned ON (in the case of remote php code inclusion) and B) it would be quicker and would allow a more complete assessment of the security holes if you just posted the code (in the case where someone could be including administration pages into a visitor's page.)

Link to comment
Share on other sites
robert_gsfame Advanced Member

robert_gsfame

Posted
  • Author
Posted

this is the html code

 

<form name="form1" enctype="multipart/form-data" action="">

<input type="file" name="file1">

<input type="submit" value="Submit">

</form>

 

okay and this is my php code

$file_name=$_FILES['file1']['name'];

$file_tmp=$_FILES['file1']['tmp_name'];

$file_size=$_FILES['file1']['size'];

$file_type=$_FILES['file1']['type'];

$path="my_folder/$file_tmp";

 

then it try to validate the size & type

if($file_size>100000)

{

  echo "Size exceeds maximum";

}

elseif($file_type!=="image/pjpeg")&&($file_type!=="image/jpg")&&($file_type!=="image/jpeg"))

{

  echo "Only jpg allowed";

}

else

{

  if(move_uploaded_file($file_tmp,$path)

  {

    echo "Okay file uploaded!";

  }

}

 

 

which part is wrong?? then what if i change my folder permission to 775 instead of 755 will that help?? thx

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.