Forum Moderators: coopster
We have since changed all our login names and passwords and removed the code but the threat still remains. We think the problem is with the upload code, the code is very basic right now, all it does is disallow certain file extensions, which we all know isn't very helpful. I can rename extensions or add extra extensions to the end of files and the upload still works.
There is not enough budget available for us to fix the aforementioned problems, but what we think will work is changing the chmod on uploaded files to 0666 so the files cannot execute.
I'm planing on using the PHP chmod() function to do this but my question is; Will this work to protect against executable files?
After this mess, we did a lot of work as quickly as possible to modernize a bunch of old code, and the following points are helpful for uploaded files:
1) Check the file extension. Use a white-list style. (ie, only what you say can get in, gets in)
2) Check the file size. Don't let user's upload significant file sizes.
3) Have files uploaded into locations above the web-level. For example, you have the site 'google.com' whose web root is located at '/home/google/public_html/'. Instead of uploading files to '/home/google/public_html/files/' (where any web user can access them), have the files uploaded to '/home/google/files/'. This makes them only accessible to the server. You then only need to write a separate PHP script to handle "retrieving" the files (which can have its own security implementations).
4) Check the file/MIME type. This will quickly cache any file that is simply "renamed". Though be warned, an "experienced" user can modify the file/MIME type.
5) Generate random names for uploaded files, and retrieve them with some sort of "key" system (database/etc required). For example, 'mydog.pdf' is uploaded; have the server change it to '4049fiflc.pdf' and store this info in a DB, with a key like '69769795', where this key is used to access the file. This helps prevent a malicious user from uploading a malicious file and attempting to locate/run/etc it.
There is a lot of other great info/tips out there. Try Googling something like "PHP file upload security" or such.
Best of luck!
(what we think happened) upload an executable file that put JavaScript on a bunch of our web pages.
Did you locate an uploaded executable? This is normally entirely possible without FTP access; that is, while changing passwords frequently and not using "regular FTP" is good practice, this is not likely the culprit. As mentioned, this can be done using mysql injection to the public web pages, and is likely due to poor input cleansing from your scripts.
Two comments here; while uploading is definately a threat "regular FTP" transmits the user name and password in clear text with every file you upload. You should use a secure FTP program like SFTP instead. While this is a security issue, in this case I don't know that this is your cause. The second is identifying a file by extension is no security at all. As you have indicated, anyone can rename malicious.exe as malicious.jpg, upload it, and when included in a page, execute it.
what we think will work is changing the chmod on uploaded files to 0666 so the files cannot execute.
Good practice, but as said, will not help if the attack was via mysql injection.
What is the nature of your file uploads? Images, PDF's, what?
I ask because a very good solution in these scenarios is to install and use Imagick, the PHP interface to ImageMagick (you will also have to install ImageMagick.) When the file is uploaded, use ImageMagick - which actually reads the file headers - to determine the file type, if it's not a valid file type, delete it and return an error.
