File Upload Security

Forum Moderators: coopster

Message Too Old, No Replies

File Upload Security

mealybar

2:59 pm on Mar 14, 2006 (gmt 0)

Hello,

I am considering to start a photo album type project where any visitor to my site will be able to upload a picture to be included in the album.

It is the >allowing anyone access to upload< which is worrying me. What are your recommendations to make this secure as possible?

I have a script which checks the file type upon upload, with the mime type and filename extention; checks a file is within a given filesize; uploaded to a 'verify' directory because I dont think I have access away from the public_html folder; and the filename is changed to a random string of characters.

Are there more options which I could check to improve security? What CHMOD should the 'verify' directory have [I would like to be able to view them in my (password protected) admin area to verify them to go on the site]?

Are there any considerations which I have missed?

Thanks
mealybar

webdoctor

9:04 am on Mar 15, 2006 (gmt 0)

Are there any considerations which I have missed?

Is there a virus scanner on your site which will scan the files in the 'upload' directory before they are shown on your site?

Vastio

12:32 pm on Mar 15, 2006 (gmt 0)

I am currently doing the same things as mealybar. However, I've never thought of the security implications it might have. I'm also curious to know what people suggest.

How would you go about setting up a virus scan?

mealybar

2:56 pm on Mar 15, 2006 (gmt 0)

Is there a virus scanner on your site which will scan the files in the 'upload' directory before they are shown on your site?

There is no virus scan available that I know of.

Potentially the submitted does not know where the files are stored before being verified [some obscure folder name] is this sufficiently equivalent to placing them outside of the www/ dir?

When a file is uploaded to the temp directory in php, i.e. before we can perform any checks on it, what security risks does that pose? I'm on a shared server, does that make a difference?

jatar_k

4:48 pm on Mar 15, 2006 (gmt 0)

having 'anyone' be able to upload files/images is always a risk. Having a very basic user may be a better idea, that would allow at least a little tracking and would mean a little extra control.

issues:
viruses
XSS (cross site scripting)
SQL injection

XSS is a big thing as you don't want somebody uploading things that can put spyware on one of your users cpu by exploiting their browser.

I am not a huge fan of 'anyone can upload' there is just so little control over what ends up on your site.

tomda

6:36 am on Mar 16, 2006 (gmt 0)

Very interested topic. I have one such website "anyone can upload images"... Strictly JPG!

Is there really no way to check for viruses and other issues that Jatar_k mentionned?

Can viruses/XSS be found in uploaded JPG files?

jbrevell

8:48 am on Mar 16, 2006 (gmt 0)

I'd be surprised if you could find any web hosts that would be willing to take on the server burden of scanning files for viruses without charging for it...

If GD is installed, why not read the file into memory then recreate the image- the recreated image should only contain the image data from the original file:

<?
$im = @imagecreatefromjpeg('file.jpg');
if (!$im) echo "JPEG file not recognised";
else imagejpeg($im,'path/to/imagestore/file.jpg');//could also add in getimagesize to check if jpeg
?>

Alternatively how about asking one of the free online file scanning engines if you could POST the file to it using curl- parse the output to decode whether the file is clean or not

tomda

10:05 am on Mar 16, 2006 (gmt 0)

Thanks for your response Jbrevell

If GD is installed, why not read the file into memory then recreate the image- the recreated image should only contain the image data from the original file:

That's what I do.
1/ I put uploaded pic in tmp folder.
2/ Then recreate image and thumbnail to specific folder
3/ Delete uploated pic from the tmp folder

I guess that this is more than enough!