Greg Donald wrote: > The other day a post came across one of those mailing lists discussing > PHP security. One of the posters was describing how insecure PHP's > file upload functionality is and went on to explain a simple method of > attaching exploit code to the end of a jpeg or other image format, > then proceeding in uploading the image to the target site that > accepted image uploads. > The code would be executed as PHP in spite of > the file type detection. I'd think there would be no need to parse a > jpeg as PHP, right? There are times when one needs to parse a file that ends in .jpg (or .jpeg) as PHP. Specifically, broken browsers (various versions of IE) that ignore Content-type: headers and use the URL to determine the MIME type will not correctly display a URL such as: http://l-i-e.com/gd_example.php Said browser will, however, correctly handle: http://l-i-e.com/gd_example.jpg Note that both images are dynamic and, in fact, the two source files are Linux symbolic (hard) links, as is this PHP source code: http://l-i-e.com/gd_example.phps The real problem in the describe scenario is that somebody was foolish enough to take an image supplied by the untrusted USER and then feed it to PHP to be executed. Well, duh. Don't do that. :-) You could do the exact same thing in Perl, C, or maybe even ASP. [You'd really have to work at it in ASP, though, since ASP is broken.] > Needless to say this discussion quickly caught my attention and I > began to defend PHP explaining how the unsafe functions could be > disabled via the php.ini and so forth. But then I began to wonder.. > surely if an exploit were possible the PHP folks would have been > informed and the source would have been patched by now, right? If an exploit is possible, but has nothing to do with PHP specifically, and has everything to do with a bad programmer, bad admin, or just plain user stupidity (PHP user, not end user) then why would the PHP Development Team change PHP? > I guess my question is.. is PHP's file upload functionality really > safe? I myself have a lot at stake if it's not. Is your car really safe? I have a lot at stake if it's not. Should we outlaw cars because some people drive drunk? > I don't know much about writing exploits, I just try to keep up to > date on security patches and bulletins and all. But these security > guys really seem to think PHP is insecure as far as file uploading, so > now I'm wondering about it all. The best way to learn more about security, other than poring over security lists with way too much information, plus lots and lots of misinformation from well-meaning people, is to role-play yourself as the bad guy and ask yourself: "If I was mean, how would I mess with this to break this guy's site?" I'm no security expert, but it amazes me the stupidity of some coding I see. It's not *that* tricky to put yourself in the bad guy's shoes. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
