I allow uploading of images via a script that is accessible to logged in users of a certain group.

user signs up
user submits listings with image.
image checked for extension, filesize, and mime type
mime type compared with extension type
file moved from tmp to images folder
file checked off as 644
admin approves images and listings
all done

1) check for file extension could easily be faked

I disagree, you cannot fake the extension. It is what it is.
the contents on the other hand may or may not be of the appropriate type. I know it's a little anal to clarify that point but just thought I would.

In the end I was quite shocked to discover that I really see no way of making a secure upload form.

What specifically do you consider insecure? If you do all of those things in your list that's a good start. You just want to allow pdf and doc extensions so the image functions should not need to be applied. You can use something like this to check for the correct extension.

function checkAllowedExt($file)
{
//check file for allowed extensions returns true if type
$temp = strtolower($file);
$ext = pathinfo($temp, PATHINFO_EXTENSION);
$allowed = array('pdf', 'doc');
if (in_array($ext, $allowed))
return true;
return false;
}

Once you have narrowed down what you will accept you only have to certify the correctness of those file types. Accept only what you want and dump everything else.

Security comes down to a multilevel approach. You can have the most secure script in the world but if your server is loose then it doesn't matter.

Another possible way around this. If you absolutely don't want file uploads, build a form which users add their information to and generate the pdf for them. You also have a consistent look and feel to the documents by doing so. You can format the display however you want as another benefit.

Regards,
Brandon

I disagree, you cannot fake the extension.

So if I create a nasty executable ordinary-file.exe and rename it ordinary-file.jpg, upload it, what then? Opening the image in a browser will surely present a broken icon but by then it's too late, it's been opened and you rely on the user's AVG to identify the pattern.

I do agree on one point though, multiple methods help reduce the possibility.

For images, ImageMagick reads the file headers, and you can delete the file if an unaccepted type is found, but this is of no help with other file types. Even then, the executable can be crafted with header information that can spoof the file type. This would fail to display an image in most cases, but it would circumnavigate your file type check, so they won't care.

There are some PHP classes out there that read everything from video to .docs, and identify them, but a truly crafty hack could spoof any of them.

Another possible avenue of protection is to have a running and updated AVG software directly on your server and run the AVG on any file uploaded. This would obviously slow the whole thing down as it checks against it's database for malicious virus patterns.

Nothing is truly secure 100%, but the O.P. prompts a great question, and hopefully some good answers will be posted here.

Hey rocknbil, I agree 100% security seems virtually unreachable : (
Thanks for clarifying the file extension theory.

Bkeep, try making an exe file, just a small demo in visual basic or whatever then change the extension from .exe and put .jpg
After doing that go try it out on the code you provided.

As for this topic, it would be really handy if we could combine our knowledge and come up with a script that would be at least 99% safe.
We have already established that images can be protected more easily, but how to go about uploading other files? Doc, pdf, mp3?

We are in agreement Like I said it was more a less a comment about semantics.

the contents on the other hand may or may not be of the appropriate type.

So we agree but I may have worded it in a way that didn't come off as such.

One other thing I do a few other checks to verify a file is an actual image I didn't post those steps since this wasn't about image files, or atleast I didn't think it was.