homepage Welcome to WebmasterWorld Guest from 54.167.238.60
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
completely secure uploads, an utopia?
punisa




msg:4021356
 10:14 pm on Nov 8, 2009 (gmt 0)

Hello guys,
getting deeper into file uploading I start to realize that doing this in PHP might be impossible - as far as you care about security.

I've read dozens of pages that suggest several methods to secure file uploads:
1) check for file extension
could easily be faked
2) check for MIME type
could be faked
3) read into a few 100bytes of file and check what it is
again, could be faked
4) upload outside of root
5) take care of CHMOD-ing the uploads folder
6) give file a random name (then save its rand. name in DB)
7) read its size(width n height)
works only on images
8) give file upload permission only to registered users

This last one sounds *really* helpful, like a person determined to hack me can not make a small effort of registering first, duh.

In the end I was quite shocked to discover that I really see no way of making a secure upload form.

I have a site where people should be able to upload their resumes, either in MS word .doc file or .pdf file.

Should I actually give up on this? Is it really that hard to make this work securely
How about dozens of sites all over the web which lets you upload documents for conversion

Would love to hear your opinion on this one : )

 

bkeep




msg:4021926
 9:07 pm on Nov 9, 2009 (gmt 0)

I allow uploading of images via a script that is accessible to logged in users of a certain group.

user signs up
user submits listings with image.
image checked for extension, filesize, and mime type
mime type compared with extension type
file moved from tmp to images folder
file checked off as 644
admin approves images and listings
all done

1) check for file extension could easily be faked

I disagree, you cannot fake the extension. It is what it is.
the contents on the other hand may or may not be of the appropriate type. I know it's a little anal to clarify that point but just thought I would.

In the end I was quite shocked to discover that I really see no way of making a secure upload form.

What specifically do you consider insecure? If you do all of those things in your list that's a good start. You just want to allow pdf and doc extensions so the image functions should not need to be applied. You can use something like this to check for the correct extension.

function checkAllowedExt($file)
{
//check file for allowed extensions returns true if type
$temp = strtolower($file);
$ext = pathinfo($temp, PATHINFO_EXTENSION);

$allowed = array('pdf', 'doc');
if (in_array($ext, $allowed))
return true;
return false;
}

Once you have narrowed down what you will accept you only have to certify the correctness of those file types. Accept only what you want and dump everything else.

Security comes down to a multilevel approach. You can have the most secure script in the world but if your server is loose then it doesn't matter.

Another possible way around this. If you absolutely don't want file uploads, build a form which users add their information to and generate the pdf for them. You also have a consistent look and feel to the documents by doing so. You can format the display however you want as another benefit.

Regards,
Brandon

rocknbil




msg:4021964
 9:57 pm on Nov 9, 2009 (gmt 0)

I disagree, you cannot fake the extension.

So if I create a nasty executable ordinary-file.exe and rename it ordinary-file.jpg, upload it, what then? Opening the image in a browser will surely present a broken icon but by then it's too late, it's been opened and you rely on the user's AVG to identify the pattern.

I do agree on one point though, multiple methods help reduce the possibility.

For images, ImageMagick reads the file headers, and you can delete the file if an unaccepted type is found, but this is of no help with other file types. Even then, the executable can be crafted with header information that can spoof the file type. This would fail to display an image in most cases, but it would circumnavigate your file type check, so they won't care.

There are some PHP classes out there that read everything from video to .docs, and identify them, but a truly crafty hack could spoof any of them.

Another possible avenue of protection is to have a running and updated AVG software directly on your server and run the AVG on any file uploaded. This would obviously slow the whole thing down as it checks against it's database for malicious virus patterns.

Nothing is truly secure 100%, but the O.P. prompts a great question, and hopefully some good answers will be posted here.

punisa




msg:4022031
 10:54 pm on Nov 9, 2009 (gmt 0)

Hey rocknbil, I agree 100% security seems virtually unreachable : (
Thanks for clarifying the file extension theory.

Bkeep, try making an exe file, just a small demo in visual basic or whatever then change the extension from .exe and put .jpg
After doing that go try it out on the code you provided.

As for this topic, it would be really handy if we could combine our knowledge and come up with a script that would be at least 99% safe.
We have already established that images can be protected more easily, but how to go about uploading other files? Doc, pdf, mp3?

bkeep




msg:4022054
 11:32 pm on Nov 9, 2009 (gmt 0)

We are in agreement Like I said it was more a less a comment about semantics.


the contents on the other hand may or may not be of the appropriate type.

So we agree but I may have worded it in a way that didn't come off as such.

One other thing I do a few other checks to verify a file is an actual image I didn't post those steps since this wasn't about image files, or atleast I didn't think it was.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved