I subscribe to a number of security mailing lists as I suspect many of you do, being developers and all. The other day a post came across one of those mailing lists discussing PHP security. One of the posters was describing how insecure PHP's file upload functionality is and went on to explain a simple method of attaching exploit code to the end of a jpeg or other image format, then proceeding in uploading the image to the target site that accepted image uploads. The code would be executed as PHP in spite of the file type detection. I'd think there would be no need to parse a jpeg as PHP, right? Needless to say this discussion quickly caught my attention and I began to defend PHP explaining how the unsafe functions could be disabled via the php.ini and so forth. But then I began to wonder.. surely if an exploit were possible the PHP folks would have been informed and the source would have been patched by now, right? I guess my question is.. is PHP's file upload functionality really safe? I myself have a lot at stake if it's not. I don't know much about writing exploits, I just try to keep up to date on security patches and bulletins and all. But these security guys really seem to think PHP is insecure as far as file uploading, so now I'm wondering about it all. Chris has excellent info on general PHP security (http://shiflett.org/php-security.pdf) and I re-read it today before posting. But how does one go about "filtering" a jpeg for exploit code? Seems the only winning move is to not play. -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
