--- Greg Donald <destiney@xxxxxxxxx> wrote: > The other day a post came across one of those mailing lists discussing > PHP security. One of the posters was describing how insecure PHP's > file upload functionality is and went on to explain a simple method of > attaching exploit code to the end of a jpeg or other image format, > then proceeding in uploading the image to the target site that > accepted image uploads. The code would be executed as PHP in spite > of the file type detection. I would challenge him to provide an example exploit. That will probably end the debate, but just in case he actually knows what he's talking about, it gives him an opportunity to clarify his point. > I'd think there would be no need to parse a jpeg as PHP, right? Apache (and I assume most any HTTP server) uses the file extension to determine the content type, so anything named foo.jpg will not be parsed by the PHP engine (unless, for some crazy reason, you specifically configure Apache to do so, or you mistakenly use ForceType incorrectly). If you let someone upload a file, and you let them choose the name, and you put that file within document root, then yes, you have a pretty serious vulnerability. But, that's just stupid. You can be stupid in any language. :-) > Needless to say this discussion quickly caught my attention and I > began to defend PHP explaining how the unsafe functions could be > disabled via the php.ini and so forth. But then I began to wonder.. > surely if an exploit were possible the PHP folks would have been > informed and the source would have been patched by now, right? Most likely. It's unfortunate, but most people who raise concerns like this have no idea what they're talking about. The reason I find it unfortunate is that realistic concerns can be lost in the crowd. This could be a realistic concern, but I'd need more details to determine that. > I guess my question is.. is PHP's file upload functionality really > safe? I myself have a lot at stake if it's not. I would say it's no more or less safe than most mechanisms. PHP provides you with information about an uploaded file in the $_FILES superglobal array. What you do with it is up to you. You can certainly write code that trusts information sent by the client, but you shouldn't. My only complaint (it's minor) with PHP's implementation is that a developer can't easily determine what data in $_FILES comes from the client. Because some of the information therein is provided by PHP (and therefore reliable), it's not like $_GET where you can safely assume that everything comes from the client. This lack of distinction makes it a bit more difficult to be a security-conscious developer. > I don't know much about writing exploits, I just try to keep up to > date on security patches and bulletins and all. But these security > guys really seem to think PHP is insecure as far as file uploading, so > now I'm wondering about it all. PHP gets a bad rap because of the multitude of insecure applications written in the language, and (more importantly) the tendency to name applications PHP something. This means that those who keep up with things like Security Focus see PHP mentioned all the time, and they have a poor opinion of it. Of course, in reality, what they see are names like phpBB and PHP-Nuke, not PHP itself. > Chris has excellent info on general PHP security > (http://shiflett.org/php-security.pdf) and I re-read it today before > posting. But how does one go about "filtering" a jpeg for exploit > code? Seems the only winning move is to not play. Thanks for the kind words. While I stand behind everything within that PDF, I don't want anyone to think that it's anywhere near complete. It began as a companion to my OSCON talk on PHP security (and it's changed very little since), so it only covers the topics that I chose for a 3 hour talk. File uploads were not part of that. I did write a Security Corner (my column in php|architect) on file uploads in the October issue, but that is not available for free yet (it won't be until April). Sorry that I don't have a better resource for you - I've always felt that file uploads weren't as common as most of the other topics that I frequently write about. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming Soon http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
